version 1.21, 2017/10/07 19:39:19 |
version 1.21.2.2, 2018/09/06 06:51:33 |
|
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" |
.\" |
.\" $OpenBSD: ssh_config.5,v 1.256 2017/09/21 19:16:53 markus Exp $ |
.\" $OpenBSD: ssh_config.5,v 1.281 2018/07/23 19:02:49 kn Exp $ |
.Dd September 21 2017 |
.Dd July 23 2018 |
.Dt SSH_CONFIG 5 |
.Dt SSH_CONFIG 5 |
.Os |
.Os |
.Sh NAME |
.Sh NAME |
|
|
Use the specified address on the local machine as the source address of |
Use the specified address on the local machine as the source address of |
the connection. |
the connection. |
Only useful on systems with more than one address. |
Only useful on systems with more than one address. |
Note that this option does not work if |
.It Cm BindInterface |
.Cm UsePrivilegedPort |
Use the address of the specified interface on the local machine as the |
is set to |
source address of the connection. |
.Cm yes . |
|
.It Cm CanonicalDomains |
.It Cm CanonicalDomains |
When |
When |
.Cm CanonicalizeHostname |
.Cm CanonicalizeHostname |
|
|
.Bd -literal -offset indent |
.Bd -literal -offset indent |
chacha20-poly1305@openssh.com, |
chacha20-poly1305@openssh.com, |
aes128-ctr,aes192-ctr,aes256-ctr, |
aes128-ctr,aes192-ctr,aes256-ctr, |
aes128-gcm@openssh.com,aes256-gcm@openssh.com, |
aes128-gcm@openssh.com,aes256-gcm@openssh.com |
aes128-cbc,aes192-cbc,aes256-cbc |
|
.Ed |
.Ed |
.Pp |
.Pp |
The list of available ciphers may also be obtained using |
The list of available ciphers may also be obtained using |
|
|
(the default). |
(the default). |
.It Cm HostbasedKeyTypes |
.It Cm HostbasedKeyTypes |
Specifies the key types that will be used for hostbased authentication |
Specifies the key types that will be used for hostbased authentication |
as a comma-separated pattern list. |
as a comma-separated list of patterns. |
Alternately if the specified value begins with a |
Alternately if the specified value begins with a |
.Sq + |
.Sq + |
character, then the specified key types will be appended to the default set |
character, then the specified key types will be appended to the default set |
Line 768 ecdsa-sha2-nistp256-cert-v01@openssh.com |
|
Line 766 ecdsa-sha2-nistp256-cert-v01@openssh.com |
|
ecdsa-sha2-nistp384-cert-v01@openssh.com, |
ecdsa-sha2-nistp384-cert-v01@openssh.com, |
ecdsa-sha2-nistp521-cert-v01@openssh.com, |
ecdsa-sha2-nistp521-cert-v01@openssh.com, |
ssh-ed25519-cert-v01@openssh.com, |
ssh-ed25519-cert-v01@openssh.com, |
|
rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, |
ssh-rsa-cert-v01@openssh.com, |
ssh-rsa-cert-v01@openssh.com, |
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
ssh-ed25519,ssh-rsa |
ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa |
.Ed |
.Ed |
.Pp |
.Pp |
The |
The |
Line 795 ecdsa-sha2-nistp256-cert-v01@openssh.com |
|
Line 794 ecdsa-sha2-nistp256-cert-v01@openssh.com |
|
ecdsa-sha2-nistp384-cert-v01@openssh.com, |
ecdsa-sha2-nistp384-cert-v01@openssh.com, |
ecdsa-sha2-nistp521-cert-v01@openssh.com, |
ecdsa-sha2-nistp521-cert-v01@openssh.com, |
ssh-ed25519-cert-v01@openssh.com, |
ssh-ed25519-cert-v01@openssh.com, |
|
rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, |
ssh-rsa-cert-v01@openssh.com, |
ssh-rsa-cert-v01@openssh.com, |
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
ssh-ed25519,ssh-rsa |
ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa |
.Ed |
.Ed |
.Pp |
.Pp |
If hostkeys are known for the destination host then this default is modified |
If hostkeys are known for the destination host then this default is modified |
Line 928 to unknown options that appear before it |
|
Line 928 to unknown options that appear before it |
|
.It Cm Include |
.It Cm Include |
Include the specified configuration file(s). |
Include the specified configuration file(s). |
Multiple pathnames may be specified and each pathname may contain |
Multiple pathnames may be specified and each pathname may contain |
.Xr glob 3 |
.Xr glob 7 |
wildcards and, for user configurations, shell-like |
wildcards and, for user configurations, shell-like |
.Sq ~ |
.Sq ~ |
references to user home directories. |
references to user home directories. |
Line 979 If one argument is specified, it is used |
|
Line 979 If one argument is specified, it is used |
|
If two values are specified, the first is automatically selected for |
If two values are specified, the first is automatically selected for |
interactive sessions and the second for non-interactive sessions. |
interactive sessions and the second for non-interactive sessions. |
The default is |
The default is |
.Cm lowdelay |
.Cm af21 |
|
(Low-Latency Data) |
for interactive sessions and |
for interactive sessions and |
.Cm throughput |
.Cm cs1 |
|
(Lower Effort) |
for non-interactive sessions. |
for non-interactive sessions. |
.It Cm KbdInteractiveAuthentication |
.It Cm KbdInteractiveAuthentication |
Specifies whether to use keyboard-interactive authentication. |
Specifies whether to use keyboard-interactive authentication. |
Line 1017 The default is: |
|
Line 1019 The default is: |
|
curve25519-sha256,curve25519-sha256@libssh.org, |
curve25519-sha256,curve25519-sha256@libssh.org, |
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
diffie-hellman-group-exchange-sha256, |
diffie-hellman-group-exchange-sha256, |
|
diffie-hellman-group16-sha512, |
|
diffie-hellman-group18-sha512, |
diffie-hellman-group-exchange-sha1, |
diffie-hellman-group-exchange-sha1, |
|
diffie-hellman-group14-sha256, |
diffie-hellman-group14-sha1 |
diffie-hellman-group14-sha1 |
.Ed |
.Ed |
.Pp |
.Pp |
Line 1109 hmac-sha2-256,hmac-sha2-512,hmac-sha1 |
|
Line 1114 hmac-sha2-256,hmac-sha2-512,hmac-sha1 |
|
The list of available MAC algorithms may also be obtained using |
The list of available MAC algorithms may also be obtained using |
.Qq ssh -Q mac . |
.Qq ssh -Q mac . |
.It Cm NoHostAuthenticationForLocalhost |
.It Cm NoHostAuthenticationForLocalhost |
This option can be used if the home directory is shared across machines. |
Disable host authentication for localhost (loopback addresses). |
In this case localhost will refer to a different machine on each of |
|
the machines and the user will get many warnings about changed host keys. |
|
However, this option disables host authentication for localhost. |
|
The argument to this keyword must be |
The argument to this keyword must be |
.Cm yes |
.Cm yes |
or |
or |
Line 1200 For example, the following directive wou |
|
Line 1202 For example, the following directive wou |
|
ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p |
ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p |
.Ed |
.Ed |
.It Cm ProxyJump |
.It Cm ProxyJump |
Specifies one or more jump proxies as |
Specifies one or more jump proxies as either |
.Xo |
.Xo |
.Sm off |
.Sm off |
.Op Ar user No @ |
.Op Ar user No @ |
.Ar host |
.Ar host |
.Op : Ns Ar port |
.Op : Ns Ar port |
.Sm on |
.Sm on |
|
or an ssh URI |
.Xc . |
.Xc . |
Multiple proxies may be separated by comma characters and will be visited |
Multiple proxies may be separated by comma characters and will be visited |
sequentially. |
sequentially. |
|
|
.Cm no . |
.Cm no . |
.It Cm PubkeyAcceptedKeyTypes |
.It Cm PubkeyAcceptedKeyTypes |
Specifies the key types that will be used for public key authentication |
Specifies the key types that will be used for public key authentication |
as a comma-separated pattern list. |
as a comma-separated list of patterns. |
Alternately if the specified value begins with a |
Alternately if the specified value begins with a |
.Sq + |
.Sq + |
character, then the key types after it will be appended to the default |
character, then the key types after it will be appended to the default |
Line 1248 ecdsa-sha2-nistp256-cert-v01@openssh.com |
|
Line 1251 ecdsa-sha2-nistp256-cert-v01@openssh.com |
|
ecdsa-sha2-nistp384-cert-v01@openssh.com, |
ecdsa-sha2-nistp384-cert-v01@openssh.com, |
ecdsa-sha2-nistp521-cert-v01@openssh.com, |
ecdsa-sha2-nistp521-cert-v01@openssh.com, |
ssh-ed25519-cert-v01@openssh.com, |
ssh-ed25519-cert-v01@openssh.com, |
|
rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, |
ssh-rsa-cert-v01@openssh.com, |
ssh-rsa-cert-v01@openssh.com, |
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
ssh-ed25519,ssh-rsa |
ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa |
.Ed |
.Ed |
.Pp |
.Pp |
The list of available key types may also be obtained using |
The list of available key types may also be obtained using |
|
|
.It Cm RemoteForward |
.It Cm RemoteForward |
Specifies that a TCP port on the remote machine be forwarded over |
Specifies that a TCP port on the remote machine be forwarded over |
the secure channel. |
the secure channel. |
The remote port may either be fowarded to a specified host and port |
The remote port may either be forwarded to a specified host and port |
from the local machine, or may act as a SOCKS 4/5 proxy that allows a remote |
from the local machine, or may act as a SOCKS 4/5 proxy that allows a remote |
client to connect to arbitrary destinations from the local machine. |
client to connect to arbitrary destinations from the local machine. |
The first argument must be |
The first argument must be |
Line 1387 Multiple environment variables may be se |
|
Line 1391 Multiple environment variables may be se |
|
across multiple |
across multiple |
.Cm SendEnv |
.Cm SendEnv |
directives. |
directives. |
The default is not to send any environment variables. |
|
.Pp |
.Pp |
See |
See |
.Sx PATTERNS |
.Sx PATTERNS |
for more information on patterns. |
for more information on patterns. |
|
.Pp |
|
It is possible to clear previously set |
|
.Cm SendEnv |
|
variable names by prefixing patterns with |
|
.Pa - . |
|
The default is not to send any environment variables. |
.It Cm ServerAliveCountMax |
.It Cm ServerAliveCountMax |
Sets the number of server alive messages (see below) which may be |
Sets the number of server alive messages (see below) which may be |
sent without |
sent without |
Line 1426 will send a message through the encrypte |
|
Line 1435 will send a message through the encrypte |
|
channel to request a response from the server. |
channel to request a response from the server. |
The default |
The default |
is 0, indicating that these messages will not be sent to the server. |
is 0, indicating that these messages will not be sent to the server. |
|
.It Cm SetEnv |
|
Directly specify one or more environment variables and their contents to |
|
be sent to the server. |
|
Similarly to |
|
.Cm SendEnv , |
|
the server must be prepared to accept the environment variable. |
.It Cm StreamLocalBindMask |
.It Cm StreamLocalBindMask |
Sets the octal file creation mode mask |
Sets the octal file creation mode mask |
.Pq umask |
.Pq umask |
Line 1459 If this flag is set to |
|
Line 1474 If this flag is set to |
|
will never automatically add host keys to the |
will never automatically add host keys to the |
.Pa ~/.ssh/known_hosts |
.Pa ~/.ssh/known_hosts |
file, and refuses to connect to hosts whose host key has changed. |
file, and refuses to connect to hosts whose host key has changed. |
This provides maximum protection against trojan horse attacks, |
This provides maximum protection against man-in-the-middle (MITM) attacks, |
though it can be annoying when the |
though it can be annoying when the |
.Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
file is poorly maintained or when connections to new hosts are |
file is poorly maintained or when connections to new hosts are |
Line 1511 This is important in scripts, and many u |
|
Line 1526 This is important in scripts, and many u |
|
.Pp |
.Pp |
To disable TCP keepalive messages, the value should be set to |
To disable TCP keepalive messages, the value should be set to |
.Cm no . |
.Cm no . |
|
See also |
|
.Cm ServerAliveInterval |
|
for protocol-level keepalives. |
.It Cm Tunnel |
.It Cm Tunnel |
Request |
Request |
.Xr tun 4 |
.Xr tun 4 |
Line 1579 Presently, only |
|
Line 1597 Presently, only |
|
from OpenSSH 6.8 and greater support the |
from OpenSSH 6.8 and greater support the |
.Qq hostkeys@openssh.com |
.Qq hostkeys@openssh.com |
protocol extension used to inform the client of all the server's hostkeys. |
protocol extension used to inform the client of all the server's hostkeys. |
.It Cm UsePrivilegedPort |
|
Specifies whether to use a privileged port for outgoing connections. |
|
The argument must be |
|
.Cm yes |
|
or |
|
.Cm no |
|
(the default). |
|
If set to |
|
.Cm yes , |
|
.Xr ssh 1 |
|
must be setuid root. |
|
.It Cm User |
.It Cm User |
Specifies the user to log in as. |
Specifies the user to log in as. |
This can be useful when a different user name is used on different machines. |
This can be useful when a different user name is used on different machines. |
|
|
the following entry (in authorized_keys) could be used: |
the following entry (in authorized_keys) could be used: |
.Pp |
.Pp |
.Dl from=\&"!*.dialup.example.com,*.example.com\&" |
.Dl from=\&"!*.dialup.example.com,*.example.com\&" |
|
.Pp |
|
Note that a negated match will never produce a positive result by itself. |
|
For example, attempting to match |
|
.Qq host3 |
|
against the following pattern-list will fail: |
|
.Pp |
|
.Dl from=\&"!host1,!host2\&" |
|
.Pp |
|
The solution here is to include a term that will yield a positive match, |
|
such as a wildcard: |
|
.Pp |
|
.Dl from=\&"!host1,!host2,*\&" |
.Sh TOKENS |
.Sh TOKENS |
Arguments to some keywords can make use of tokens, |
Arguments to some keywords can make use of tokens, |
which are expanded at runtime: |
which are expanded at runtime: |
Line 1685 which are expanded at runtime: |
|
Line 1704 which are expanded at runtime: |
|
A literal |
A literal |
.Sq % . |
.Sq % . |
.It \&%C |
.It \&%C |
Shorthand for %l%h%p%r. |
Hash of %l%h%p%r. |
.It %d |
.It %d |
Local user's home directory. |
Local user's home directory. |
.It %h |
.It %h |
Line 1702 The original remote hostname, as given o |
|
Line 1721 The original remote hostname, as given o |
|
The remote port. |
The remote port. |
.It %r |
.It %r |
The remote username. |
The remote username. |
|
.It \&%T |
|
The local |
|
.Xr tun 4 |
|
or |
|
.Xr tap 4 |
|
network interface assigned if |
|
tunnel forwarding was requested, or |
|
.Qq NONE |
|
otherwise. |
.It %u |
.It %u |
The local username. |
The local username. |
.El |
.El |
.Pp |
.Pp |
.Cm Match exec |
.Cm Match exec |
accepts the tokens %%, %h, %L, %l, %n, %p, %r, and %u. |
accepts the tokens %%, %h, %i, %L, %l, %n, %p, %r, and %u. |
.Pp |
.Pp |
.Cm CertificateFile |
.Cm CertificateFile |
accepts the tokens %%, %d, %h, %l, %r, and %u. |
accepts the tokens %%, %d, %h, %i, %l, %r, and %u. |
.Pp |
.Pp |
.Cm ControlPath |
.Cm ControlPath |
accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u. |
accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u. |
Line 1721 accepts the tokens %% and %h. |
|
Line 1749 accepts the tokens %% and %h. |
|
.Cm IdentityAgent |
.Cm IdentityAgent |
and |
and |
.Cm IdentityFile |
.Cm IdentityFile |
accept the tokens %%, %d, %h, %l, %r, and %u. |
accept the tokens %%, %d, %h, %i, %l, %r, and %u. |
.Pp |
.Pp |
.Cm LocalCommand |
.Cm LocalCommand |
accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u. |
accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, %T, and %u. |
.Pp |
.Pp |
.Cm ProxyCommand |
.Cm ProxyCommand |
accepts the tokens %%, %h, %p, and %r. |
accepts the tokens %%, %h, %p, and %r. |
.Pp |
.Pp |
.Cm RemoteCommand |
.Cm RemoteCommand |
accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u. |
accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, and %u. |
.Sh FILES |
.Sh FILES |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Pa ~/.ssh/config |
.It Pa ~/.ssh/config |