Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1 | SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2 | |
| 3 | NAME |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 4 | ssh_config M-bM-^@M-^S OpenSSH SSH client configuration files |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 5 | |
| 6 | SYNOPSIS |
| 7 | ~/.ssh/config |
| 8 | /etc/ssh/ssh_config |
| 9 | |
| 10 | DESCRIPTION |
| 11 | ssh(1) obtains configuration data from the following sources in the |
| 12 | following order: |
| 13 | |
| 14 | 1. command-line options |
| 15 | 2. user's configuration file (~/.ssh/config) |
| 16 | 3. system-wide configuration file (/etc/ssh/ssh_config) |
| 17 | |
| 18 | For each parameter, the first obtained value will be used. The |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 19 | configuration files contain sections separated by Host specifications, |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 20 | and that section is only applied for hosts that match one of the patterns |
| 21 | given in the specification. The matched host name is usually the one |
| 22 | given on the command line (see the CanonicalizeHostname option for |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 23 | exceptions). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 24 | |
| 25 | Since the first obtained value for each parameter is used, more host- |
| 26 | specific declarations should be given near the beginning of the file, and |
| 27 | general defaults at the end. |
| 28 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 29 | The file contains keyword-argument pairs, one per line. Lines starting |
| 30 | with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are interpreted as comments. Arguments may |
| 31 | optionally be enclosed in double quotes (") in order to represent |
| 32 | arguments containing spaces. Configuration options may be separated by |
| 33 | whitespace or optional whitespace and exactly one M-bM-^@M-^X=M-bM-^@M-^Y; the latter format |
| 34 | is useful to avoid the need to quote whitespace when specifying |
| 35 | configuration options using the ssh, scp, and sftp -o option. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 36 | |
| 37 | The possible keywords and their meanings are as follows (note that |
| 38 | keywords are case-insensitive and arguments are case-sensitive): |
| 39 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 40 | Host Restricts the following declarations (up to the next Host or |
| 41 | Match keyword) to be only for those hosts that match one of the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 42 | patterns given after the keyword. If more than one pattern is |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 43 | provided, they should be separated by whitespace. A single M-bM-^@M-^X*M-bM-^@M-^Y |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 44 | as a pattern can be used to provide global defaults for all |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 45 | hosts. The host is usually the hostname argument given on the |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 46 | command line (see the CanonicalizeHostname keyword for |
| 47 | exceptions). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 48 | |
| 49 | A pattern entry may be negated by prefixing it with an |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 50 | exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). If a negated entry is matched, then the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 51 | Host entry is ignored, regardless of whether any other patterns |
| 52 | on the line match. Negated matches are therefore useful to |
| 53 | provide exceptions for wildcard matches. |
| 54 | |
| 55 | See PATTERNS for more information on patterns. |
| 56 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 57 | Match Restricts the following declarations (up to the next Host or |
| 58 | Match keyword) to be used only when the conditions following the |
| 59 | Match keyword are satisfied. Match conditions are specified |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 60 | using one or more criteria or the single token all which always |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 61 | matches. The available criteria keywords are: canonical, exec, |
| 62 | host, originalhost, user, and localuser. The all criteria must |
| 63 | appear alone or immediately after canonical. Other criteria may |
| 64 | be combined arbitrarily. All criteria but all and canonical |
| 65 | require an argument. Criteria may be negated by prepending an |
| 66 | exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). |
| 67 | |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 68 | The canonical keyword matches only when the configuration file is |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 69 | being re-parsed after hostname canonicalization (see the |
| 70 | CanonicalizeHostname option.) This may be useful to specify |
| 71 | conditions that work with canonical host names only. The exec |
| 72 | keyword executes the specified command under the user's shell. |
| 73 | If the command returns a zero exit status then the condition is |
| 74 | considered true. Commands containing whitespace characters must |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 75 | be quoted. Arguments to exec accept the tokens described in the |
| 76 | TOKENS section. |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 77 | |
| 78 | The other keywords' criteria must be single entries or comma- |
| 79 | separated lists and may use the wildcard and negation operators |
| 80 | described in the PATTERNS section. The criteria for the host |
| 81 | keyword are matched against the target hostname, after any |
| 82 | substitution by the Hostname or CanonicalizeHostname options. |
| 83 | The originalhost keyword matches against the hostname as it was |
| 84 | specified on the command-line. The user keyword matches against |
| 85 | the target username on the remote host. The localuser keyword |
| 86 | matches against the name of the local user running ssh(1) (this |
| 87 | keyword may be useful in system-wide ssh_config files). |
| 88 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 89 | AddKeysToAgent |
| 90 | Specifies whether keys should be automatically added to a running |
| 91 | ssh-agent(1). If this option is set to yes and a key is loaded |
| 92 | from a file, the key and its passphrase are added to the agent |
| 93 | with the default lifetime, as if by ssh-add(1). If this option |
| 94 | is set to ask, ssh(1) will require confirmation using the |
| 95 | SSH_ASKPASS program before adding a key (see ssh-add(1) for |
| 96 | details). If this option is set to confirm, each use of the key |
| 97 | must be confirmed, as if the -c option was specified to |
| 98 | ssh-add(1). If this option is set to no, no keys are added to |
| 99 | the agent. The argument must be yes, confirm, ask, or no (the |
| 100 | default). |
| 101 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 102 | AddressFamily |
| 103 | Specifies which address family to use when connecting. Valid |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 104 | arguments are any (the default), inet (use IPv4 only), or inet6 |
| 105 | (use IPv6 only). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 106 | |
| 107 | BatchMode |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 108 | If set to yes, passphrase/password querying will be disabled. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 109 | This option is useful in scripts and other batch jobs where no |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 110 | user is present to supply the password. The argument must be yes |
| 111 | or no (the default). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 112 | |
| 113 | BindAddress |
| 114 | Use the specified address on the local machine as the source |
| 115 | address of the connection. Only useful on systems with more than |
| 116 | one address. Note that this option does not work if |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 117 | UsePrivilegedPort is set to yes. |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 118 | |
| 119 | CanonicalDomains |
| 120 | When CanonicalizeHostname is enabled, this option specifies the |
| 121 | list of domain suffixes in which to search for the specified |
| 122 | destination host. |
| 123 | |
| 124 | CanonicalizeFallbackLocal |
| 125 | Specifies whether to fail with an error when hostname |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 126 | canonicalization fails. The default, yes, will attempt to look |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 127 | up the unqualified hostname using the system resolver's search |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 128 | rules. A value of no will cause ssh(1) to fail instantly if |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 129 | CanonicalizeHostname is enabled and the target hostname cannot be |
| 130 | found in any of the domains specified by CanonicalDomains. |
| 131 | |
| 132 | CanonicalizeHostname |
| 133 | Controls whether explicit hostname canonicalization is performed. |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 134 | The default, no, is not to perform any name rewriting and let the |
| 135 | system resolver handle all hostname lookups. If set to yes then, |
| 136 | for connections that do not use a ProxyCommand, ssh(1) will |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 137 | attempt to canonicalize the hostname specified on the command |
| 138 | line using the CanonicalDomains suffixes and |
| 139 | CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 140 | set to always, then canonicalization is applied to proxied |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 141 | connections too. |
| 142 | |
| 143 | If this option is enabled, then the configuration files are |
| 144 | processed again using the new target name to pick up any new |
| 145 | configuration in matching Host and Match stanzas. |
| 146 | |
| 147 | CanonicalizeMaxDots |
| 148 | Specifies the maximum number of dot characters in a hostname |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 149 | before canonicalization is disabled. The default, 1, allows a |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 150 | single dot (i.e. hostname.subdomain). |
| 151 | |
| 152 | CanonicalizePermittedCNAMEs |
| 153 | Specifies rules to determine whether CNAMEs should be followed |
| 154 | when canonicalizing hostnames. The rules consist of one or more |
| 155 | arguments of source_domain_list:target_domain_list, where |
| 156 | source_domain_list is a pattern-list of domains that may follow |
| 157 | CNAMEs in canonicalization, and target_domain_list is a pattern- |
| 158 | list of domains that they may resolve to. |
| 159 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 160 | For example, "*.a.example.com:*.b.example.com,*.c.example.com" |
| 161 | will allow hostnames matching "*.a.example.com" to be |
| 162 | canonicalized to names in the "*.b.example.com" or |
| 163 | "*.c.example.com" domains. |
| 164 | |
| 165 | CertificateFile |
| 166 | Specifies a file from which the user's certificate is read. A |
| 167 | corresponding private key must be provided separately in order to |
| 168 | use this certificate either from an IdentityFile directive or -i |
| 169 | flag to ssh(1), via ssh-agent(1), or via a PKCS11Provider. |
| 170 | |
| 171 | Arguments to CertificateFile may use the tilde syntax to refer to |
| 172 | a user's home directory or the tokens described in the TOKENS |
| 173 | section. |
| 174 | |
| 175 | It is possible to have multiple certificate files specified in |
| 176 | configuration files; these certificates will be tried in |
| 177 | sequence. Multiple CertificateFile directives will add to the |
| 178 | list of certificates used for authentication. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 179 | |
| 180 | ChallengeResponseAuthentication |
| 181 | Specifies whether to use challenge-response authentication. The |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 182 | argument to this keyword must be yes (the default) or no. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 183 | |
| 184 | CheckHostIP |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 185 | If set to yes (the default), ssh(1) will additionally check the |
| 186 | host IP address in the known_hosts file. This allows it to |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 187 | detect if a host key changed due to DNS spoofing and will add |
| 188 | addresses of destination hosts to ~/.ssh/known_hosts in the |
| 189 | process, regardless of the setting of StrictHostKeyChecking. If |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 190 | the option is set to no, the check will not be executed. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 191 | |
| 192 | Cipher Specifies the cipher to use for encrypting the session in |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 193 | protocol version 1. Currently, blowfish, 3des (the default), and |
| 194 | des are supported, though des is only supported in the ssh(1) |
| 195 | client for interoperability with legacy protocol 1 |
| 196 | implementations; its use is strongly discouraged due to |
| 197 | cryptographic weaknesses. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 198 | |
| 199 | Ciphers |
| 200 | Specifies the ciphers allowed for protocol version 2 in order of |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 201 | preference. Multiple ciphers must be comma-separated. If the |
| 202 | specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified |
| 203 | ciphers will be appended to the default set instead of replacing |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 204 | them. If the specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then |
| 205 | the specified ciphers (including wildcards) will be removed from |
| 206 | the default set instead of replacing them. |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 207 | |
| 208 | The supported ciphers are: |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 209 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 210 | 3des-cbc |
| 211 | aes128-cbc |
| 212 | aes192-cbc |
| 213 | aes256-cbc |
| 214 | aes128-ctr |
| 215 | aes192-ctr |
| 216 | aes256-ctr |
| 217 | aes128-gcm@openssh.com |
| 218 | aes256-gcm@openssh.com |
| 219 | arcfour |
| 220 | arcfour128 |
| 221 | arcfour256 |
| 222 | blowfish-cbc |
| 223 | cast128-cbc |
| 224 | chacha20-poly1305@openssh.com |
| 225 | |
| 226 | The default is: |
| 227 | |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 228 | chacha20-poly1305@openssh.com, |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 229 | aes128-ctr,aes192-ctr,aes256-ctr, |
| 230 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 231 | aes128-cbc,aes192-cbc,aes256-cbc |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 232 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 233 | The list of available ciphers may also be obtained using "ssh -Q |
| 234 | cipher". |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 235 | |
| 236 | ClearAllForwardings |
| 237 | Specifies that all local, remote, and dynamic port forwardings |
| 238 | specified in the configuration files or on the command line be |
| 239 | cleared. This option is primarily useful when used from the |
| 240 | ssh(1) command line to clear port forwardings set in |
| 241 | configuration files, and is automatically set by scp(1) and |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 242 | sftp(1). The argument must be yes or no (the default). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 243 | |
| 244 | Compression |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 245 | Specifies whether to use compression. The argument must be yes |
| 246 | or no (the default). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 247 | |
| 248 | CompressionLevel |
| 249 | Specifies the compression level to use if compression is enabled. |
| 250 | The argument must be an integer from 1 (fast) to 9 (slow, best). |
| 251 | The default level is 6, which is good for most applications. The |
| 252 | meaning of the values is the same as in gzip(1). Note that this |
| 253 | option applies to protocol version 1 only. |
| 254 | |
| 255 | ConnectionAttempts |
| 256 | Specifies the number of tries (one per second) to make before |
| 257 | exiting. The argument must be an integer. This may be useful in |
| 258 | scripts if the connection sometimes fails. The default is 1. |
| 259 | |
| 260 | ConnectTimeout |
| 261 | Specifies the timeout (in seconds) used when connecting to the |
| 262 | SSH server, instead of using the default system TCP timeout. |
| 263 | This value is used only when the target is down or really |
| 264 | unreachable, not when it refuses the connection. |
| 265 | |
| 266 | ControlMaster |
| 267 | Enables the sharing of multiple sessions over a single network |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 268 | connection. When set to yes, ssh(1) will listen for connections |
| 269 | on a control socket specified using the ControlPath argument. |
| 270 | Additional sessions can connect to this socket using the same |
| 271 | ControlPath with ControlMaster set to no (the default). These |
| 272 | sessions will try to reuse the master instance's network |
| 273 | connection rather than initiating new ones, but will fall back to |
| 274 | connecting normally if the control socket does not exist, or is |
| 275 | not listening. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 276 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 277 | Setting this to ask will cause ssh(1) to listen for control |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 278 | connections, but require confirmation using ssh-askpass(1). If |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 279 | the ControlPath cannot be opened, ssh(1) will continue without |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 280 | connecting to a master instance. |
| 281 | |
| 282 | X11 and ssh-agent(1) forwarding is supported over these |
| 283 | multiplexed connections, however the display and agent forwarded |
| 284 | will be the one belonging to the master connection i.e. it is not |
| 285 | possible to forward multiple displays or agents. |
| 286 | |
| 287 | Two additional options allow for opportunistic multiplexing: try |
| 288 | to use a master connection but fall back to creating a new one if |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 289 | one does not already exist. These options are: auto and autoask. |
| 290 | The latter requires confirmation like the ask option. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 291 | |
| 292 | ControlPath |
| 293 | Specify the path to the control socket used for connection |
| 294 | sharing as described in the ControlMaster section above or the |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 295 | string none to disable connection sharing. Arguments to |
| 296 | ControlPath may use the tilde syntax to refer to a user's home |
| 297 | directory or the tokens described in the TOKENS section. It is |
| 298 | recommended that any ControlPath used for opportunistic |
| 299 | connection sharing include at least %h, %p, and %r (or |
| 300 | alternatively %C) and be placed in a directory that is not |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 301 | writable by other users. This ensures that shared connections |
| 302 | are uniquely identified. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 303 | |
| 304 | ControlPersist |
| 305 | When used in conjunction with ControlMaster, specifies that the |
| 306 | master connection should remain open in the background (waiting |
| 307 | for future client connections) after the initial client |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 308 | connection has been closed. If set to no, then the master |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 309 | connection will not be placed into the background, and will close |
| 310 | as soon as the initial client connection is closed. If set to |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 311 | yes or 0, then the master connection will remain in the |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 312 | background indefinitely (until killed or closed via a mechanism |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 313 | such as the "ssh -O exit"). If set to a time in seconds, or a |
| 314 | time in any of the formats documented in sshd_config(5), then the |
| 315 | backgrounded master connection will automatically terminate after |
| 316 | it has remained idle (with no client connections) for the |
| 317 | specified time. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 318 | |
| 319 | DynamicForward |
| 320 | Specifies that a TCP port on the local machine be forwarded over |
| 321 | the secure channel, and the application protocol is then used to |
| 322 | determine where to connect to from the remote machine. |
| 323 | |
| 324 | The argument must be [bind_address:]port. IPv6 addresses can be |
| 325 | specified by enclosing addresses in square brackets. By default, |
| 326 | the local port is bound in accordance with the GatewayPorts |
| 327 | setting. However, an explicit bind_address may be used to bind |
| 328 | the connection to a specific address. The bind_address of |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 329 | localhost indicates that the listening port be bound for local |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 330 | use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port |
| 331 | should be available from all interfaces. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 332 | |
| 333 | Currently the SOCKS4 and SOCKS5 protocols are supported, and |
| 334 | ssh(1) will act as a SOCKS server. Multiple forwardings may be |
| 335 | specified, and additional forwardings can be given on the command |
| 336 | line. Only the superuser can forward privileged ports. |
| 337 | |
| 338 | EnableSSHKeysign |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 339 | Setting this option to yes in the global client configuration |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 340 | file /etc/ssh/ssh_config enables the use of the helper program |
| 341 | ssh-keysign(8) during HostbasedAuthentication. The argument must |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 342 | be yes or no (the default). This option should be placed in the |
| 343 | non-hostspecific section. See ssh-keysign(8) for more |
| 344 | information. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 345 | |
| 346 | EscapeChar |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 347 | Sets the escape character (default: M-bM-^@M-^X~M-bM-^@M-^Y). The escape character |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 348 | can also be set on the command line. The argument should be a |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 349 | single character, M-bM-^@M-^X^M-bM-^@M-^Y followed by a letter, or none to disable |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 350 | the escape character entirely (making the connection transparent |
| 351 | for binary data). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 352 | |
| 353 | ExitOnForwardFailure |
| 354 | Specifies whether ssh(1) should terminate the connection if it |
| 355 | cannot set up all requested dynamic, tunnel, local, and remote |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 356 | port forwardings, (e.g. if either end is unable to bind and |
| 357 | listen on a specified port). Note that ExitOnForwardFailure does |
| 358 | not apply to connections made over port forwardings and will not, |
| 359 | for example, cause ssh(1) to exit if TCP connections to the |
| 360 | ultimate forwarding destination fail. The argument must be yes |
| 361 | or no (the default). |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 362 | |
| 363 | FingerprintHash |
| 364 | Specifies the hash algorithm used when displaying key |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 365 | fingerprints. Valid options are: md5 and sha256 (the default). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 366 | |
| 367 | ForwardAgent |
| 368 | Specifies whether the connection to the authentication agent (if |
| 369 | any) will be forwarded to the remote machine. The argument must |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 370 | be yes or no (the default). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 371 | |
| 372 | Agent forwarding should be enabled with caution. Users with the |
| 373 | ability to bypass file permissions on the remote host (for the |
| 374 | agent's Unix-domain socket) can access the local agent through |
| 375 | the forwarded connection. An attacker cannot obtain key material |
| 376 | from the agent, however they can perform operations on the keys |
| 377 | that enable them to authenticate using the identities loaded into |
| 378 | the agent. |
| 379 | |
| 380 | ForwardX11 |
| 381 | Specifies whether X11 connections will be automatically |
| 382 | redirected over the secure channel and DISPLAY set. The argument |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 383 | must be yes or no (the default). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 384 | |
| 385 | X11 forwarding should be enabled with caution. Users with the |
| 386 | ability to bypass file permissions on the remote host (for the |
| 387 | user's X11 authorization database) can access the local X11 |
| 388 | display through the forwarded connection. An attacker may then |
| 389 | be able to perform activities such as keystroke monitoring if the |
| 390 | ForwardX11Trusted option is also enabled. |
| 391 | |
| 392 | ForwardX11Timeout |
| 393 | Specify a timeout for untrusted X11 forwarding using the format |
| 394 | described in the TIME FORMATS section of sshd_config(5). X11 |
| 395 | connections received by ssh(1) after this time will be refused. |
| 396 | The default is to disable untrusted X11 forwarding after twenty |
| 397 | minutes has elapsed. |
| 398 | |
| 399 | ForwardX11Trusted |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 400 | If this option is set to yes, remote X11 clients will have full |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 401 | access to the original X11 display. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 402 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 403 | If this option is set to no (the default), remote X11 clients |
| 404 | will be considered untrusted and prevented from stealing or |
| 405 | tampering with data belonging to trusted X11 clients. |
| 406 | Furthermore, the xauth(1) token used for the session will be set |
| 407 | to expire after 20 minutes. Remote clients will be refused |
| 408 | access after this time. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 409 | |
| 410 | See the X11 SECURITY extension specification for full details on |
| 411 | the restrictions imposed on untrusted clients. |
| 412 | |
| 413 | GatewayPorts |
| 414 | Specifies whether remote hosts are allowed to connect to local |
| 415 | forwarded ports. By default, ssh(1) binds local port forwardings |
| 416 | to the loopback address. This prevents other remote hosts from |
| 417 | connecting to forwarded ports. GatewayPorts can be used to |
| 418 | specify that ssh should bind local port forwardings to the |
| 419 | wildcard address, thus allowing remote hosts to connect to |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 420 | forwarded ports. The argument must be yes or no (the default). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 421 | |
| 422 | GlobalKnownHostsFile |
| 423 | Specifies one or more files to use for the global host key |
| 424 | database, separated by whitespace. The default is |
| 425 | /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2. |
| 426 | |
| 427 | GSSAPIAuthentication |
| 428 | Specifies whether user authentication based on GSSAPI is allowed. |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 429 | The default is no. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 430 | |
| 431 | GSSAPIDelegateCredentials |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 432 | Forward (delegate) credentials to the server. The default is no. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 433 | |
| 434 | HashKnownHosts |
| 435 | Indicates that ssh(1) should hash host names and addresses when |
| 436 | they are added to ~/.ssh/known_hosts. These hashed names may be |
| 437 | used normally by ssh(1) and sshd(8), but they do not reveal |
| 438 | identifying information should the file's contents be disclosed. |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 439 | The default is no. Note that existing names and addresses in |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 440 | known hosts files will not be converted automatically, but may be |
| 441 | manually hashed using ssh-keygen(1). |
| 442 | |
| 443 | HostbasedAuthentication |
| 444 | Specifies whether to try rhosts based authentication with public |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 445 | key authentication. The argument must be yes or no (the |
| 446 | default). |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 447 | |
| 448 | HostbasedKeyTypes |
| 449 | Specifies the key types that will be used for hostbased |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 450 | authentication as a comma-separated pattern list. Alternately if |
| 451 | the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the |
| 452 | specified key types will be appended to the default set instead |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 453 | of replacing them. If the specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y |
| 454 | character, then the specified key types (including wildcards) |
| 455 | will be removed from the default set instead of replacing them. |
| 456 | The default for this option is: |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 457 | |
| 458 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| 459 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| 460 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 461 | ssh-ed25519-cert-v01@openssh.com, |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 462 | ssh-rsa-cert-v01@openssh.com, |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 463 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 464 | ssh-ed25519,ssh-rsa |
| 465 | |
| 466 | The -Q option of ssh(1) may be used to list supported key types. |
| 467 | |
| 468 | HostKeyAlgorithms |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 469 | Specifies the host key algorithms that the client wants to use in |
| 470 | order of preference. Alternately if the specified value begins |
| 471 | with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified key types will be |
| 472 | appended to the default set instead of replacing them. If the |
| 473 | specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified |
| 474 | key types (including wildcards) will be removed from the default |
| 475 | set instead of replacing them. The default for this option is: |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 476 | |
| 477 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| 478 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| 479 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| 480 | ssh-ed25519-cert-v01@openssh.com, |
| 481 | ssh-rsa-cert-v01@openssh.com, |
| 482 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| 483 | ssh-ed25519,ssh-rsa |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 484 | |
| 485 | If hostkeys are known for the destination host then this default |
| 486 | is modified to prefer their algorithms. |
| 487 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 488 | The list of available key types may also be obtained using "ssh |
| 489 | -Q key". |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 490 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 491 | HostKeyAlias |
| 492 | Specifies an alias that should be used instead of the real host |
| 493 | name when looking up or saving the host key in the host key |
| 494 | database files. This option is useful for tunneling SSH |
| 495 | connections or for multiple servers running on a single host. |
| 496 | |
| 497 | HostName |
| 498 | Specifies the real host name to log into. This can be used to |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 499 | specify nicknames or abbreviations for hosts. Arguments to |
| 500 | HostName accept the tokens described in the TOKENS section. |
| 501 | Numeric IP addresses are also permitted (both on the command line |
| 502 | and in HostName specifications). The default is the name given |
| 503 | on the command line. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 504 | |
| 505 | IdentitiesOnly |
| 506 | Specifies that ssh(1) should only use the authentication identity |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 507 | and certificate files explicitly configured in the ssh_config |
| 508 | files or passed on the ssh(1) command-line, even if ssh-agent(1) |
| 509 | or a PKCS11Provider offers more identities. The argument to this |
| 510 | keyword must be yes or no (the default). This option is intended |
| 511 | for situations where ssh-agent offers many different identities. |
| 512 | |
| 513 | IdentityAgent |
| 514 | Specifies the UNIX-domain socket used to communicate with the |
| 515 | authentication agent. |
| 516 | |
| 517 | This option overrides the SSH_AUTH_SOCK environment variable and |
| 518 | can be used to select a specific agent. Setting the socket name |
| 519 | to none disables the use of an authentication agent. If the |
| 520 | string "SSH_AUTH_SOCK" is specified, the location of the socket |
| 521 | will be read from the SSH_AUTH_SOCK environment variable. |
| 522 | |
| 523 | Arguments to IdentityAgent may use the tilde syntax to refer to a |
| 524 | user's home directory or the tokens described in the TOKENS |
| 525 | section. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 526 | |
| 527 | IdentityFile |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 528 | Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 529 | authentication identity is read. The default is ~/.ssh/identity |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 530 | for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, |
| 531 | ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. |
| 532 | Additionally, any identities represented by the authentication |
| 533 | agent will be used for authentication unless IdentitiesOnly is |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 534 | set. If no certificates have been explicitly specified by |
| 535 | CertificateFile, ssh(1) will try to load certificate information |
| 536 | from the filename obtained by appending -cert.pub to the path of |
| 537 | a specified IdentityFile. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 538 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 539 | Arguments to IdentityFile may use the tilde syntax to refer to a |
| 540 | user's home directory or the tokens described in the TOKENS |
| 541 | section. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 542 | |
| 543 | It is possible to have multiple identity files specified in |
| 544 | configuration files; all these identities will be tried in |
| 545 | sequence. Multiple IdentityFile directives will add to the list |
| 546 | of identities tried (this behaviour differs from that of other |
| 547 | configuration directives). |
| 548 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 549 | IdentityFile may be used in conjunction with IdentitiesOnly to |
| 550 | select which identities in an agent are offered during |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 551 | authentication. IdentityFile may also be used in conjunction |
| 552 | with CertificateFile in order to provide any certificate also |
| 553 | needed for authentication with the identity. |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 554 | |
| 555 | IgnoreUnknown |
| 556 | Specifies a pattern-list of unknown options to be ignored if they |
| 557 | are encountered in configuration parsing. This may be used to |
| 558 | suppress errors if ssh_config contains options that are |
| 559 | unrecognised by ssh(1). It is recommended that IgnoreUnknown be |
| 560 | listed early in the configuration file as it will not be applied |
| 561 | to unknown options that appear before it. |
| 562 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 563 | Include |
| 564 | Include the specified configuration file(s). Multiple pathnames |
| 565 | may be specified and each pathname may contain glob(3) wildcards |
| 566 | and, for user configurations, shell-like M-bM-^@M-^X~M-bM-^@M-^Y references to user |
| 567 | home directories. Files without absolute paths are assumed to be |
| 568 | in ~/.ssh if included in a user configuration file or /etc/ssh if |
| 569 | included from the system configuration file. Include directive |
| 570 | may appear inside a Match or Host block to perform conditional |
| 571 | inclusion. |
| 572 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 573 | IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 574 | Accepted values are af11, af12, af13, af21, af22, af23, af31, |
| 575 | af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, cs4, cs5, cs6, |
| 576 | cs7, ef, lowdelay, throughput, reliability, or a numeric value. |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 577 | This option may take one or two arguments, separated by |
| 578 | whitespace. If one argument is specified, it is used as the |
| 579 | packet class unconditionally. If two values are specified, the |
| 580 | first is automatically selected for interactive sessions and the |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 581 | second for non-interactive sessions. The default is lowdelay for |
| 582 | interactive sessions and throughput for non-interactive sessions. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 583 | |
| 584 | KbdInteractiveAuthentication |
| 585 | Specifies whether to use keyboard-interactive authentication. |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 586 | The argument to this keyword must be yes (the default) or no. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 587 | |
| 588 | KbdInteractiveDevices |
| 589 | Specifies the list of methods to use in keyboard-interactive |
| 590 | authentication. Multiple method names must be comma-separated. |
| 591 | The default is to use the server specified list. The methods |
| 592 | available vary depending on what the server supports. For an |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 593 | OpenSSH server, it may be zero or more of: bsdauth, pam, and |
| 594 | skey. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 595 | |
| 596 | KexAlgorithms |
| 597 | Specifies the available KEX (Key Exchange) algorithms. Multiple |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 598 | algorithms must be comma-separated. Alternately if the specified |
| 599 | value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods |
| 600 | will be appended to the default set instead of replacing them. |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 601 | If the specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the |
| 602 | specified methods (including wildcards) will be removed from the |
| 603 | default set instead of replacing them. The default is: |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 604 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 605 | curve25519-sha256,curve25519-sha256@libssh.org, |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 606 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
| 607 | diffie-hellman-group-exchange-sha256, |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 608 | diffie-hellman-group-exchange-sha1, |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 609 | diffie-hellman-group14-sha1 |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 610 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 611 | The list of available key exchange algorithms may also be |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 612 | obtained using "ssh -Q kex". |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 613 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 614 | LocalCommand |
| 615 | Specifies a command to execute on the local machine after |
| 616 | successfully connecting to the server. The command string |
| 617 | extends to the end of the line, and is executed with the user's |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 618 | shell. Arguments to LocalCommand accept the tokens described in |
| 619 | the TOKENS section. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 620 | |
| 621 | The command is run synchronously and does not have access to the |
| 622 | session of the ssh(1) that spawned it. It should not be used for |
| 623 | interactive commands. |
| 624 | |
| 625 | This directive is ignored unless PermitLocalCommand has been |
| 626 | enabled. |
| 627 | |
| 628 | LocalForward |
| 629 | Specifies that a TCP port on the local machine be forwarded over |
| 630 | the secure channel to the specified host and port from the remote |
| 631 | machine. The first argument must be [bind_address:]port and the |
| 632 | second argument must be host:hostport. IPv6 addresses can be |
| 633 | specified by enclosing addresses in square brackets. Multiple |
| 634 | forwardings may be specified, and additional forwardings can be |
| 635 | given on the command line. Only the superuser can forward |
| 636 | privileged ports. By default, the local port is bound in |
| 637 | accordance with the GatewayPorts setting. However, an explicit |
| 638 | bind_address may be used to bind the connection to a specific |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 639 | address. The bind_address of localhost indicates that the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 640 | listening port be bound for local use only, while an empty |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 641 | address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port should be available from |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 642 | all interfaces. |
| 643 | |
| 644 | LogLevel |
| 645 | Gives the verbosity level that is used when logging messages from |
| 646 | ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, |
| 647 | VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. |
| 648 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify |
| 649 | higher levels of verbose output. |
| 650 | |
| 651 | MACs Specifies the MAC (message authentication code) algorithms in |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 652 | order of preference. The MAC algorithm is used for data |
| 653 | integrity protection. Multiple algorithms must be comma- |
| 654 | separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, |
| 655 | then the specified algorithms will be appended to the default set |
| 656 | instead of replacing them. If the specified value begins with a |
| 657 | M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified algorithms (including |
| 658 | wildcards) will be removed from the default set instead of |
| 659 | replacing them. |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 660 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 661 | The algorithms that contain "-etm" calculate the MAC after |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 662 | encryption (encrypt-then-mac). These are considered safer and |
| 663 | their use recommended. |
| 664 | |
| 665 | The default is: |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 666 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 667 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, |
| 668 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 669 | hmac-sha1-etm@openssh.com, |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 670 | umac-64@openssh.com,umac-128@openssh.com, |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 671 | hmac-sha2-256,hmac-sha2-512,hmac-sha1 |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 672 | |
| 673 | The list of available MAC algorithms may also be obtained using |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 674 | "ssh -Q mac". |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 675 | |
| 676 | NoHostAuthenticationForLocalhost |
| 677 | This option can be used if the home directory is shared across |
| 678 | machines. In this case localhost will refer to a different |
| 679 | machine on each of the machines and the user will get many |
| 680 | warnings about changed host keys. However, this option disables |
| 681 | host authentication for localhost. The argument to this keyword |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 682 | must be yes or no (the default). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 683 | |
| 684 | NumberOfPasswordPrompts |
| 685 | Specifies the number of password prompts before giving up. The |
| 686 | argument to this keyword must be an integer. The default is 3. |
| 687 | |
| 688 | PasswordAuthentication |
| 689 | Specifies whether to use password authentication. The argument |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 690 | to this keyword must be yes (the default) or no. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 691 | |
| 692 | PermitLocalCommand |
| 693 | Allow local command execution via the LocalCommand option or |
| 694 | using the !command escape sequence in ssh(1). The argument must |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 695 | be yes or no (the default). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 696 | |
| 697 | PKCS11Provider |
| 698 | Specifies which PKCS#11 provider to use. The argument to this |
| 699 | keyword is the PKCS#11 shared library ssh(1) should use to |
| 700 | communicate with a PKCS#11 token providing the user's private RSA |
| 701 | key. |
| 702 | |
| 703 | Port Specifies the port number to connect on the remote host. The |
| 704 | default is 22. |
| 705 | |
| 706 | PreferredAuthentications |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 707 | Specifies the order in which the client should try authentication |
| 708 | methods. This allows a client to prefer one method (e.g. |
| 709 | keyboard-interactive) over another method (e.g. password). The |
| 710 | default is: |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 711 | |
| 712 | gssapi-with-mic,hostbased,publickey, |
| 713 | keyboard-interactive,password |
| 714 | |
| 715 | Protocol |
| 716 | Specifies the protocol versions ssh(1) should support in order of |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 717 | preference. The possible values are 1 and 2. Multiple versions |
| 718 | must be comma-separated. When this option is set to 2,1 ssh will |
| 719 | try version 2 and fall back to version 1 if version 2 is not |
| 720 | available. The default is version 2. Protocol 1 suffers from a |
| 721 | number of cryptographic weaknesses and should not be used. It is |
| 722 | only offered to support legacy devices. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 723 | |
| 724 | ProxyCommand |
| 725 | Specifies the command to use to connect to the server. The |
| 726 | command string extends to the end of the line, and is executed |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 727 | using the user's shell M-bM-^@M-^XexecM-bM-^@M-^Y directive to avoid a lingering |
| 728 | shell process. |
| 729 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 730 | Arguments to ProxyCommand accept the tokens described in the |
| 731 | TOKENS section. The command can be basically anything, and |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 732 | should read from its standard input and write to its standard |
| 733 | output. It should eventually connect an sshd(8) server running |
| 734 | on some machine, or execute sshd -i somewhere. Host key |
| 735 | management will be done using the HostName of the host being |
| 736 | connected (defaulting to the name typed by the user). Setting |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 737 | the command to none disables this option entirely. Note that |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 738 | CheckHostIP is not available for connects with a proxy command. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 739 | |
| 740 | This directive is useful in conjunction with nc(1) and its proxy |
| 741 | support. For example, the following directive would connect via |
| 742 | an HTTP proxy at 192.0.2.0: |
| 743 | |
| 744 | ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p |
| 745 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 746 | ProxyJump |
| 747 | Specifies one or more jump proxies as [user@]host[:port]. |
| 748 | Multiple proxies may be separated by comma characters and will be |
| 749 | visited sequentially. Setting this option will cause ssh(1) to |
| 750 | connect to the target host by first making a ssh(1) connection to |
| 751 | the specified ProxyJump host and then establishing a TCP |
| 752 | forwarding to the ultimate target from there. |
| 753 | |
| 754 | Note that this option will compete with the ProxyCommand option - |
| 755 | whichever is specified first will prevent later instances of the |
| 756 | other from taking effect. |
| 757 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 758 | ProxyUseFdpass |
| 759 | Specifies that ProxyCommand will pass a connected file descriptor |
| 760 | back to ssh(1) instead of continuing to execute and pass data. |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 761 | The default is no. |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 762 | |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 763 | PubkeyAcceptedKeyTypes |
| 764 | Specifies the key types that will be used for public key |
| 765 | authentication as a comma-separated pattern list. Alternately if |
| 766 | the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the key |
| 767 | types after it will be appended to the default instead of |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 768 | replacing it. If the specified value begins with a M-bM-^@M-^X-M-bM-^@M-^Y |
| 769 | character, then the specified key types (including wildcards) |
| 770 | will be removed from the default set instead of replacing them. |
| 771 | The default for this option is: |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 772 | |
| 773 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| 774 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| 775 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| 776 | ssh-ed25519-cert-v01@openssh.com, |
| 777 | ssh-rsa-cert-v01@openssh.com, |
| 778 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| 779 | ssh-ed25519,ssh-rsa |
| 780 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 781 | The list of available key types may also be obtained using "ssh |
| 782 | -Q key". |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 783 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 784 | PubkeyAuthentication |
| 785 | Specifies whether to try public key authentication. The argument |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 786 | to this keyword must be yes (the default) or no. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 787 | |
| 788 | RekeyLimit |
| 789 | Specifies the maximum amount of data that may be transmitted |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 790 | before the session key is renegotiated, optionally followed a |
| 791 | maximum amount of time that may pass before the session key is |
| 792 | renegotiated. The first argument is specified in bytes and may |
| 793 | have a suffix of M-bM-^@M-^XKM-bM-^@M-^Y, M-bM-^@M-^XMM-bM-^@M-^Y, or M-bM-^@M-^XGM-bM-^@M-^Y to indicate Kilobytes, |
| 794 | Megabytes, or Gigabytes, respectively. The default is between |
| 795 | M-bM-^@M-^X1GM-bM-^@M-^Y and M-bM-^@M-^X4GM-bM-^@M-^Y, depending on the cipher. The optional second |
| 796 | value is specified in seconds and may use any of the units |
| 797 | documented in the TIME FORMATS section of sshd_config(5). The |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 798 | default value for RekeyLimit is default none, which means that |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 799 | rekeying is performed after the cipher's default amount of data |
| 800 | has been sent or received and no time based rekeying is done. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 801 | |
| 802 | RemoteForward |
| 803 | Specifies that a TCP port on the remote machine be forwarded over |
| 804 | the secure channel to the specified host and port from the local |
| 805 | machine. The first argument must be [bind_address:]port and the |
| 806 | second argument must be host:hostport. IPv6 addresses can be |
| 807 | specified by enclosing addresses in square brackets. Multiple |
| 808 | forwardings may be specified, and additional forwardings can be |
| 809 | given on the command line. Privileged ports can be forwarded |
| 810 | only when logging in as root on the remote machine. |
| 811 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 812 | If the port argument is 0, the listen port will be dynamically |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 813 | allocated on the server and reported to the client at run time. |
| 814 | |
| 815 | If the bind_address is not specified, the default is to only bind |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 816 | to loopback addresses. If the bind_address is M-bM-^@M-^X*M-bM-^@M-^Y or an empty |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 817 | string, then the forwarding is requested to listen on all |
| 818 | interfaces. Specifying a remote bind_address will only succeed |
| 819 | if the server's GatewayPorts option is enabled (see |
| 820 | sshd_config(5)). |
| 821 | |
| 822 | RequestTTY |
| 823 | Specifies whether to request a pseudo-tty for the session. The |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 824 | argument may be one of: no (never request a TTY), yes (always |
| 825 | request a TTY when standard input is a TTY), force (always |
| 826 | request a TTY) or auto (request a TTY when opening a login |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 827 | session). This option mirrors the -t and -T flags for ssh(1). |
| 828 | |
| 829 | RevokedHostKeys |
| 830 | Specifies revoked host public keys. Keys listed in this file |
| 831 | will be refused for host authentication. Note that if this file |
| 832 | does not exist or is not readable, then host authentication will |
| 833 | be refused for all hosts. Keys may be specified as a text file, |
| 834 | listing one public key per line, or as an OpenSSH Key Revocation |
| 835 | List (KRL) as generated by ssh-keygen(1). For more information |
| 836 | on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1). |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 837 | |
| 838 | RhostsRSAAuthentication |
| 839 | Specifies whether to try rhosts based authentication with RSA |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 840 | host authentication. The argument must be yes or no (the |
| 841 | default). This option applies to protocol version 1 only and |
| 842 | requires ssh(1) to be setuid root. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 843 | |
| 844 | RSAAuthentication |
| 845 | Specifies whether to try RSA authentication. The argument to |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 846 | this keyword must be yes (the default) or no. RSA authentication |
| 847 | will only be attempted if the identity file exists, or an |
| 848 | authentication agent is running. Note that this option applies |
| 849 | to protocol version 1 only. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 850 | |
| 851 | SendEnv |
| 852 | Specifies what variables from the local environ(7) should be sent |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 853 | to the server. The server must also support it, and the server |
Greg Hartman | ccacbc9 | 2016-02-03 09:59:44 -0800 | [diff] [blame] | 854 | must be configured to accept these environment variables. Note |
| 855 | that the TERM environment variable is always sent whenever a |
| 856 | pseudo-terminal is requested as it is required by the protocol. |
| 857 | Refer to AcceptEnv in sshd_config(5) for how to configure the |
| 858 | server. Variables are specified by name, which may contain |
| 859 | wildcard characters. Multiple environment variables may be |
| 860 | separated by whitespace or spread across multiple SendEnv |
| 861 | directives. The default is not to send any environment |
| 862 | variables. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 863 | |
| 864 | See PATTERNS for more information on patterns. |
| 865 | |
| 866 | ServerAliveCountMax |
| 867 | Sets the number of server alive messages (see below) which may be |
| 868 | sent without ssh(1) receiving any messages back from the server. |
| 869 | If this threshold is reached while server alive messages are |
| 870 | being sent, ssh will disconnect from the server, terminating the |
| 871 | session. It is important to note that the use of server alive |
| 872 | messages is very different from TCPKeepAlive (below). The server |
| 873 | alive messages are sent through the encrypted channel and |
| 874 | therefore will not be spoofable. The TCP keepalive option |
| 875 | enabled by TCPKeepAlive is spoofable. The server alive mechanism |
| 876 | is valuable when the client or server depend on knowing when a |
| 877 | connection has become inactive. |
| 878 | |
| 879 | The default value is 3. If, for example, ServerAliveInterval |
| 880 | (see below) is set to 15 and ServerAliveCountMax is left at the |
| 881 | default, if the server becomes unresponsive, ssh will disconnect |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 882 | after approximately 45 seconds. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 883 | |
| 884 | ServerAliveInterval |
| 885 | Sets a timeout interval in seconds after which if no data has |
| 886 | been received from the server, ssh(1) will send a message through |
| 887 | the encrypted channel to request a response from the server. The |
| 888 | default is 0, indicating that these messages will not be sent to |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 889 | the server. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 890 | |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 891 | StreamLocalBindMask |
| 892 | Sets the octal file creation mode mask (umask) used when creating |
| 893 | a Unix-domain socket file for local or remote port forwarding. |
| 894 | This option is only used for port forwarding to a Unix-domain |
| 895 | socket file. |
| 896 | |
| 897 | The default value is 0177, which creates a Unix-domain socket |
| 898 | file that is readable and writable only by the owner. Note that |
| 899 | not all operating systems honor the file mode on Unix-domain |
| 900 | socket files. |
| 901 | |
| 902 | StreamLocalBindUnlink |
| 903 | Specifies whether to remove an existing Unix-domain socket file |
| 904 | for local or remote port forwarding before creating a new one. |
| 905 | If the socket file already exists and StreamLocalBindUnlink is |
| 906 | not enabled, ssh will be unable to forward the port to the Unix- |
| 907 | domain socket file. This option is only used for port forwarding |
| 908 | to a Unix-domain socket file. |
| 909 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 910 | The argument must be yes or no (the default). |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 911 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 912 | StrictHostKeyChecking |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 913 | If this flag is set to yes, ssh(1) will never automatically add |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 914 | host keys to the ~/.ssh/known_hosts file, and refuses to connect |
| 915 | to hosts whose host key has changed. This provides maximum |
| 916 | protection against trojan horse attacks, though it can be |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 917 | annoying when the /etc/ssh/ssh_known_hosts file is poorly |
| 918 | maintained or when connections to new hosts are frequently made. |
| 919 | This option forces the user to manually add all new hosts. If |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 920 | this flag is set to no, ssh will automatically add new host keys |
| 921 | to the user known hosts files. If this flag is set to ask (the |
| 922 | default), new host keys will be added to the user known host |
| 923 | files only after the user has confirmed that is what they really |
| 924 | want to do, and ssh will refuse to connect to hosts whose host |
| 925 | key has changed. The host keys of known hosts will be verified |
| 926 | automatically in all cases. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 927 | |
| 928 | TCPKeepAlive |
| 929 | Specifies whether the system should send TCP keepalive messages |
| 930 | to the other side. If they are sent, death of the connection or |
| 931 | crash of one of the machines will be properly noticed. However, |
| 932 | this means that connections will die if the route is down |
| 933 | temporarily, and some people find it annoying. |
| 934 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 935 | The default is yes (to send TCP keepalive messages), and the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 936 | client will notice if the network goes down or the remote host |
| 937 | dies. This is important in scripts, and many users want it too. |
| 938 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 939 | To disable TCP keepalive messages, the value should be set to no. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 940 | |
| 941 | Tunnel Request tun(4) device forwarding between the client and the |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 942 | server. The argument must be yes, point-to-point (layer 3), |
| 943 | ethernet (layer 2), or no (the default). Specifying yes requests |
| 944 | the default tunnel mode, which is point-to-point. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 945 | |
| 946 | TunnelDevice |
| 947 | Specifies the tun(4) devices to open on the client (local_tun) |
| 948 | and the server (remote_tun). |
| 949 | |
| 950 | The argument must be local_tun[:remote_tun]. The devices may be |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 951 | specified by numerical ID or the keyword any, which uses the next |
| 952 | available tunnel device. If remote_tun is not specified, it |
| 953 | defaults to any. The default is any:any. |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 954 | |
| 955 | UpdateHostKeys |
| 956 | Specifies whether ssh(1) should accept notifications of |
| 957 | additional hostkeys from the server sent after authentication has |
| 958 | completed and add them to UserKnownHostsFile. The argument must |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 959 | be yes, no (the default) or ask. Enabling this option allows |
| 960 | learning alternate hostkeys for a server and supports graceful |
| 961 | key rotation by allowing a server to send replacement public keys |
| 962 | before old ones are removed. Additional hostkeys are only |
| 963 | accepted if the key used to authenticate the host was already |
| 964 | trusted or explicitly accepted by the user. If UpdateHostKeys is |
| 965 | set to ask, then the user is asked to confirm the modifications |
| 966 | to the known_hosts file. Confirmation is currently incompatible |
| 967 | with ControlPersist, and will be disabled if it is enabled. |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 968 | |
| 969 | Presently, only sshd(8) from OpenSSH 6.8 and greater support the |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 970 | "hostkeys@openssh.com" protocol extension used to inform the |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 971 | client of all the server's hostkeys. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 972 | |
| 973 | UsePrivilegedPort |
| 974 | Specifies whether to use a privileged port for outgoing |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 975 | connections. The argument must be yes or no (the default). If |
| 976 | set to yes, ssh(1) must be setuid root. Note that this option |
| 977 | must be set to yes for RhostsRSAAuthentication with older |
| 978 | servers. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 979 | |
| 980 | User Specifies the user to log in as. This can be useful when a |
| 981 | different user name is used on different machines. This saves |
| 982 | the trouble of having to remember to give the user name on the |
| 983 | command line. |
| 984 | |
| 985 | UserKnownHostsFile |
| 986 | Specifies one or more files to use for the user host key |
| 987 | database, separated by whitespace. The default is |
| 988 | ~/.ssh/known_hosts, ~/.ssh/known_hosts2. |
| 989 | |
| 990 | VerifyHostKeyDNS |
| 991 | Specifies whether to verify the remote key using DNS and SSHFP |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 992 | resource records. If this option is set to yes, the client will |
| 993 | implicitly trust keys that match a secure fingerprint from DNS. |
| 994 | Insecure fingerprints will be handled as if this option was set |
| 995 | to ask. If this option is set to ask, information on fingerprint |
| 996 | match will be displayed, but the user will still need to confirm |
| 997 | new host keys according to the StrictHostKeyChecking option. The |
| 998 | default is no. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 999 | |
| 1000 | See also VERIFYING HOST KEYS in ssh(1). |
| 1001 | |
| 1002 | VisualHostKey |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 1003 | If this flag is set to yes, an ASCII art representation of the |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1004 | remote host key fingerprint is printed in addition to the |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1005 | fingerprint string at login and for unknown host keys. If this |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 1006 | flag is set to no (the default), no fingerprint strings are |
| 1007 | printed at login and only the fingerprint string will be printed |
| 1008 | for unknown host keys. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1009 | |
| 1010 | XAuthLocation |
| 1011 | Specifies the full pathname of the xauth(1) program. The default |
| 1012 | is /usr/X11R6/bin/xauth. |
| 1013 | |
| 1014 | PATTERNS |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1015 | A pattern consists of zero or more non-whitespace characters, M-bM-^@M-^X*M-bM-^@M-^Y (a |
| 1016 | wildcard that matches zero or more characters), or M-bM-^@M-^X?M-bM-^@M-^Y (a wildcard that |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1017 | matches exactly one character). For example, to specify a set of |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 1018 | declarations for any host in the ".co.uk" set of domains, the following |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1019 | pattern could be used: |
| 1020 | |
| 1021 | Host *.co.uk |
| 1022 | |
| 1023 | The following pattern would match any host in the 192.168.0.[0-9] network |
| 1024 | range: |
| 1025 | |
| 1026 | Host 192.168.0.? |
| 1027 | |
| 1028 | A pattern-list is a comma-separated list of patterns. Patterns within |
| 1029 | pattern-lists may be negated by preceding them with an exclamation mark |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1030 | (M-bM-^@M-^X!M-bM-^@M-^Y). For example, to allow a key to be used from anywhere within an |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 1031 | organization except from the "dialup" pool, the following entry (in |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1032 | authorized_keys) could be used: |
| 1033 | |
| 1034 | from="!*.dialup.example.com,*.example.com" |
| 1035 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 1036 | TOKENS |
| 1037 | Arguments to some keywords can make use of tokens, which are expanded at |
| 1038 | runtime: |
| 1039 | |
| 1040 | %% A literal M-bM-^@M-^X%M-bM-^@M-^Y. |
| 1041 | %C Shorthand for %l%h%p%r. |
| 1042 | %d Local user's home directory. |
| 1043 | %h The remote hostname. |
| 1044 | %i The local user ID. |
| 1045 | %L The local hostname. |
| 1046 | %l The local hostname, including the domain name. |
| 1047 | %n The original remote hostname, as given on the command line. |
| 1048 | %p The remote port. |
| 1049 | %r The remote username. |
| 1050 | %u The local username. |
| 1051 | |
| 1052 | Match exec accepts the tokens %%, %h, %L, %l, %n, %p, %r, and %u. |
| 1053 | |
| 1054 | CertificateFile accepts the tokens %%, %d, %h, %l, %r, and %u. |
| 1055 | |
| 1056 | ControlPath accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and |
| 1057 | %u. |
| 1058 | |
| 1059 | HostName accepts the tokens %% and %h. |
| 1060 | |
| 1061 | IdentityAgent and IdentityFile accept the tokens %%, %d, %h, %l, %r, and |
| 1062 | %u. |
| 1063 | |
| 1064 | LocalCommand accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u. |
| 1065 | |
| 1066 | ProxyCommand accepts the tokens %%, %h, %p, and %r. |
| 1067 | |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 1068 | FILES |
| 1069 | ~/.ssh/config |
| 1070 | This is the per-user configuration file. The format of this file |
| 1071 | is described above. This file is used by the SSH client. |
| 1072 | Because of the potential for abuse, this file must have strict |
| 1073 | permissions: read/write for the user, and not accessible by |
| 1074 | others. |
| 1075 | |
| 1076 | /etc/ssh/ssh_config |
| 1077 | Systemwide configuration file. This file provides defaults for |
| 1078 | those values that are not specified in the user's configuration |
| 1079 | file, and for those users who do not have a configuration file. |
| 1080 | This file must be world-readable. |
| 1081 | |
| 1082 | SEE ALSO |
| 1083 | ssh(1) |
| 1084 | |
| 1085 | AUTHORS |
| 1086 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
| 1087 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
| 1088 | de Raadt and Dug Song removed many bugs, re-added newer features and |
| 1089 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
| 1090 | versions 1.5 and 2.0. |
| 1091 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 1092 | OpenBSD 6.0 February 27, 2017 OpenBSD 6.0 |