| version 1.239, 2016/09/28 17:59:22 |
version 1.240, 2016/10/15 19:56:25 |
|
|
| For each parameter, the first obtained value |
For each parameter, the first obtained value |
| will be used. |
will be used. |
| The configuration files contain sections separated by |
The configuration files contain sections separated by |
| .Dq Host |
.Cm Host |
| specifications, and that section is only applied for hosts that |
specifications, and that section is only applied for hosts that |
| match one of the patterns given in the specification. |
match one of the patterns given in the specification. |
| The matched host name is usually the one given on the command line |
The matched host name is usually the one given on the command line |
| (see the |
(see the |
| .Cm CanonicalizeHostname |
.Cm CanonicalizeHostname |
| option for exceptions.) |
option for exceptions). |
| .Pp |
.Pp |
| Since the first obtained value for each parameter is used, more |
Since the first obtained value for each parameter is used, more |
| host-specific declarations should be given near the beginning of the |
host-specific declarations should be given near the beginning of the |
| file, and general defaults at the end. |
file, and general defaults at the end. |
| .Pp |
.Pp |
| The configuration file has the following format: |
The file contains keyword-argument pairs, one per line. |
| .Pp |
Lines starting with |
| Empty lines and lines starting with |
|
| .Ql # |
.Ql # |
| are comments. |
and empty lines are interpreted as comments. |
| Otherwise a line is of the format |
Arguments may optionally be enclosed in double quotes |
| .Dq keyword arguments . |
.Pq \&" |
| |
in order to represent arguments containing spaces. |
| Configuration options may be separated by whitespace or |
Configuration options may be separated by whitespace or |
| optional whitespace and exactly one |
optional whitespace and exactly one |
| .Ql = ; |
.Ql = ; |
|
|
| .Nm sftp |
.Nm sftp |
| .Fl o |
.Fl o |
| option. |
option. |
| Arguments may optionally be enclosed in double quotes |
|
| .Pq \&" |
|
| in order to represent arguments containing spaces. |
|
| .Pp |
.Pp |
| The possible |
The possible |
| keywords and their meanings are as follows (note that |
keywords and their meanings are as follows (note that |
|
|
| argument given on the command line |
argument given on the command line |
| (see the |
(see the |
| .Cm CanonicalizeHostname |
.Cm CanonicalizeHostname |
| option for exceptions.) |
keyword for exceptions). |
| .Pp |
.Pp |
| A pattern entry may be negated by prefixing it with an exclamation mark |
A pattern entry may be negated by prefixing it with an exclamation mark |
| .Pq Sq !\& . |
.Pq Sq !\& . |
|
|
| Specifies whether keys should be automatically added to a running |
Specifies whether keys should be automatically added to a running |
| .Xr ssh-agent 1 . |
.Xr ssh-agent 1 . |
| If this option is set to |
If this option is set to |
| .Dq yes |
.Cm yes |
| and a key is loaded from a file, the key and its passphrase are added to |
and a key is loaded from a file, the key and its passphrase are added to |
| the agent with the default lifetime, as if by |
the agent with the default lifetime, as if by |
| .Xr ssh-add 1 . |
.Xr ssh-add 1 . |
| If this option is set to |
If this option is set to |
| .Dq ask , |
.Cm ask , |
| .Nm ssh |
.Xr ssh 1 |
| will require confirmation using the |
will require confirmation using the |
| .Ev SSH_ASKPASS |
.Ev SSH_ASKPASS |
| program before adding a key (see |
program before adding a key (see |
| .Xr ssh-add 1 |
.Xr ssh-add 1 |
| for details). |
for details). |
| If this option is set to |
If this option is set to |
| .Dq confirm , |
.Cm confirm , |
| each use of the key must be confirmed, as if the |
each use of the key must be confirmed, as if the |
| .Fl c |
.Fl c |
| option was specified to |
option was specified to |
| .Xr ssh-add 1 . |
.Xr ssh-add 1 . |
| If this option is set to |
If this option is set to |
| .Dq no , |
.Cm no , |
| no keys are added to the agent. |
no keys are added to the agent. |
| The argument must be |
The argument must be |
| .Dq yes , |
.Cm yes , |
| .Dq confirm , |
.Cm confirm , |
| .Dq ask , |
.Cm ask , |
| or |
or |
| .Dq no . |
.Cm no |
| The default is |
(the default). |
| .Dq no . |
|
| .It Cm AddressFamily |
.It Cm AddressFamily |
| Specifies which address family to use when connecting. |
Specifies which address family to use when connecting. |
| Valid arguments are |
Valid arguments are |
| .Dq any , |
.Cm any |
| .Dq inet |
(the default), |
| |
.Cm inet |
| (use IPv4 only), or |
(use IPv4 only), or |
| .Dq inet6 |
.Cm inet6 |
| (use IPv6 only). |
(use IPv6 only). |
| The default is |
|
| .Dq any . |
|
| .It Cm BatchMode |
.It Cm BatchMode |
| If set to |
If set to |
| .Dq yes , |
.Cm yes , |
| passphrase/password querying will be disabled. |
passphrase/password querying will be disabled. |
| This option is useful in scripts and other batch jobs where no user |
This option is useful in scripts and other batch jobs where no user |
| is present to supply the password. |
is present to supply the password. |
| The argument must be |
The argument must be |
| .Dq yes |
.Cm yes |
| or |
or |
| .Dq no . |
.Cm no |
| The default is |
(the default). |
| .Dq no . |
|
| .It Cm BindAddress |
.It Cm BindAddress |
| Use the specified address on the local machine as the source address of |
Use the specified address on the local machine as the source address of |
| the connection. |
the connection. |
|
|
| Note that this option does not work if |
Note that this option does not work if |
| .Cm UsePrivilegedPort |
.Cm UsePrivilegedPort |
| is set to |
is set to |
| .Dq yes . |
.Cm yes . |
| .It Cm CanonicalDomains |
.It Cm CanonicalDomains |
| When |
When |
| .Cm CanonicalizeHostname |
.Cm CanonicalizeHostname |
|
|
| .It Cm CanonicalizeFallbackLocal |
.It Cm CanonicalizeFallbackLocal |
| Specifies whether to fail with an error when hostname canonicalization fails. |
Specifies whether to fail with an error when hostname canonicalization fails. |
| The default, |
The default, |
| .Dq yes , |
.Cm yes , |
| will attempt to look up the unqualified hostname using the system resolver's |
will attempt to look up the unqualified hostname using the system resolver's |
| search rules. |
search rules. |
| A value of |
A value of |
| .Dq no |
.Cm no |
| will cause |
will cause |
| .Xr ssh 1 |
.Xr ssh 1 |
| to fail instantly if |
to fail instantly if |
|
|
| .It Cm CanonicalizeHostname |
.It Cm CanonicalizeHostname |
| Controls whether explicit hostname canonicalization is performed. |
Controls whether explicit hostname canonicalization is performed. |
| The default, |
The default, |
| .Dq no , |
.Cm no , |
| is not to perform any name rewriting and let the system resolver handle all |
is not to perform any name rewriting and let the system resolver handle all |
| hostname lookups. |
hostname lookups. |
| If set to |
If set to |
| .Dq yes |
.Cm yes |
| then, for connections that do not use a |
then, for connections that do not use a |
| .Cm ProxyCommand , |
.Cm ProxyCommand , |
| .Xr ssh 1 |
.Xr ssh 1 |
|
|
| If |
If |
| .Cm CanonicalizeHostname |
.Cm CanonicalizeHostname |
| is set to |
is set to |
| .Dq always , |
.Cm always , |
| then canonicalization is applied to proxied connections too. |
then canonicalization is applied to proxied connections too. |
| .Pp |
.Pp |
| If this option is enabled, then the configuration files are processed |
If this option is enabled, then the configuration files are processed |
|
|
| .It Cm CanonicalizeMaxDots |
.It Cm CanonicalizeMaxDots |
| Specifies the maximum number of dot characters in a hostname before |
Specifies the maximum number of dot characters in a hostname before |
| canonicalization is disabled. |
canonicalization is disabled. |
| The default, |
The default, 1, |
| .Dq 1 , |
|
| allows a single dot (i.e. hostname.subdomain). |
allows a single dot (i.e. hostname.subdomain). |
| .It Cm CanonicalizePermittedCNAMEs |
.It Cm CanonicalizePermittedCNAMEs |
| Specifies rules to determine whether CNAMEs should be followed when |
Specifies rules to determine whether CNAMEs should be followed when |
|
|
| is a pattern-list of domains that they may resolve to. |
is a pattern-list of domains that they may resolve to. |
| .Pp |
.Pp |
| For example, |
For example, |
| .Dq *.a.example.com:*.b.example.com,*.c.example.com |
.Qq *.a.example.com:*.b.example.com,*.c.example.com |
| will allow hostnames matching |
will allow hostnames matching |
| .Dq *.a.example.com |
.Qq *.a.example.com |
| to be canonicalized to names in the |
to be canonicalized to names in the |
| .Dq *.b.example.com |
.Qq *.b.example.com |
| or |
or |
| .Dq *.c.example.com |
.Qq *.c.example.com |
| domains. |
domains. |
| .It Cm CertificateFile |
.It Cm CertificateFile |
| Specifies a file from which the user's certificate is read. |
Specifies a file from which the user's certificate is read. |
|
|
| .It Cm ChallengeResponseAuthentication |
.It Cm ChallengeResponseAuthentication |
| Specifies whether to use challenge-response authentication. |
Specifies whether to use challenge-response authentication. |
| The argument to this keyword must be |
The argument to this keyword must be |
| .Dq yes |
.Cm yes |
| |
(the default) |
| or |
or |
| .Dq no . |
.Cm no . |
| The default is |
|
| .Dq yes . |
|
| .It Cm CheckHostIP |
.It Cm CheckHostIP |
| If this flag is set to |
If set to |
| .Dq yes , |
.Cm yes |
| |
(the default), |
| .Xr ssh 1 |
.Xr ssh 1 |
| will additionally check the host IP address in the |
will additionally check the host IP address in the |
| .Pa known_hosts |
.Pa known_hosts |
| file. |
file. |
| This allows ssh to detect if a host key changed due to DNS spoofing |
This allows it to detect if a host key changed due to DNS spoofing |
| and will add addresses of destination hosts to |
and will add addresses of destination hosts to |
| .Pa ~/.ssh/known_hosts |
.Pa ~/.ssh/known_hosts |
| in the process, regardless of the setting of |
in the process, regardless of the setting of |
| .Cm StrictHostKeyChecking . |
.Cm StrictHostKeyChecking . |
| If the option is set to |
If the option is set to |
| .Dq no , |
.Cm no , |
| the check will not be executed. |
the check will not be executed. |
| The default is |
|
| .Dq yes . |
|
| .It Cm Cipher |
.It Cm Cipher |
| Specifies the cipher to use for encrypting the session |
Specifies the cipher to use for encrypting the session |
| in protocol version 1. |
in protocol version 1. |
| Currently, |
Currently, |
| .Dq blowfish , |
.Cm blowfish , |
| .Dq 3des , |
.Cm 3des |
| |
(the default), |
| and |
and |
| .Dq des |
.Cm des |
| are supported. |
are supported, |
| .Ar des |
though |
| |
.Cm des |
| is only supported in the |
is only supported in the |
| .Xr ssh 1 |
.Xr ssh 1 |
| client for interoperability with legacy protocol 1 implementations |
client for interoperability with legacy protocol 1 implementations; |
| that do not support the |
its use is strongly discouraged due to cryptographic weaknesses. |
| .Ar 3des |
|
| cipher. |
|
| Its use is strongly discouraged due to cryptographic weaknesses. |
|
| The default is |
|
| .Dq 3des . |
|
| .It Cm Ciphers |
.It Cm Ciphers |
| Specifies the ciphers allowed for protocol version 2 |
Specifies the ciphers allowed for protocol version 2 |
| in order of preference. |
in order of preference. |
|
|
| instead of replacing them. |
instead of replacing them. |
| .Pp |
.Pp |
| The supported ciphers are: |
The supported ciphers are: |
| .Pp |
.Bd -literal -offset indent |
| .Bl -item -compact -offset indent |
|
| .It |
|
| 3des-cbc |
3des-cbc |
| .It |
|
| aes128-cbc |
aes128-cbc |
| .It |
|
| aes192-cbc |
aes192-cbc |
| .It |
|
| aes256-cbc |
aes256-cbc |
| .It |
|
| aes128-ctr |
aes128-ctr |
| .It |
|
| aes192-ctr |
aes192-ctr |
| .It |
|
| aes256-ctr |
aes256-ctr |
| .It |
|
| aes128-gcm@openssh.com |
aes128-gcm@openssh.com |
| .It |
|
| aes256-gcm@openssh.com |
aes256-gcm@openssh.com |
| .It |
|
| arcfour |
arcfour |
| .It |
|
| arcfour128 |
arcfour128 |
| .It |
|
| arcfour256 |
arcfour256 |
| .It |
|
| blowfish-cbc |
blowfish-cbc |
| .It |
|
| cast128-cbc |
cast128-cbc |
| .It |
|
| chacha20-poly1305@openssh.com |
chacha20-poly1305@openssh.com |
| .El |
.Ed |
| .Pp |
.Pp |
| The default is: |
The default is: |
| .Bd -literal -offset indent |
.Bd -literal -offset indent |
|
|
| aes128-cbc,aes192-cbc,aes256-cbc |
aes128-cbc,aes192-cbc,aes256-cbc |
| .Ed |
.Ed |
| .Pp |
.Pp |
| The list of available ciphers may also be obtained using the |
The list of available ciphers may also be obtained using |
| .Fl Q |
.Qq ssh -Q cipher . |
| option of |
|
| .Xr ssh 1 |
|
| with an argument of |
|
| .Dq cipher . |
|
| .It Cm ClearAllForwardings |
.It Cm ClearAllForwardings |
| Specifies that all local, remote, and dynamic port forwardings |
Specifies that all local, remote, and dynamic port forwardings |
| specified in the configuration files or on the command line be |
specified in the configuration files or on the command line be |
|
|
| and |
and |
| .Xr sftp 1 . |
.Xr sftp 1 . |
| The argument must be |
The argument must be |
| .Dq yes |
.Cm yes |
| or |
or |
| .Dq no . |
.Cm no |
| The default is |
(the default). |
| .Dq no . |
|
| .It Cm Compression |
.It Cm Compression |
| Specifies whether to use compression. |
Specifies whether to use compression. |
| The argument must be |
The argument must be |
| .Dq yes |
.Cm yes |
| or |
or |
| .Dq no . |
.Cm no |
| The default is |
(the default). |
| .Dq no . |
|
| .It Cm CompressionLevel |
.It Cm CompressionLevel |
| Specifies the compression level to use if compression is enabled. |
Specifies the compression level to use if compression is enabled. |
| The argument must be an integer from 1 (fast) to 9 (slow, best). |
The argument must be an integer from 1 (fast) to 9 (slow, best). |
|
|
| .It Cm ControlMaster |
.It Cm ControlMaster |
| Enables the sharing of multiple sessions over a single network connection. |
Enables the sharing of multiple sessions over a single network connection. |
| When set to |
When set to |
| .Dq yes , |
.Cm yes , |
| .Xr ssh 1 |
.Xr ssh 1 |
| will listen for connections on a control socket specified using the |
will listen for connections on a control socket specified using the |
| .Cm ControlPath |
.Cm ControlPath |
|
|
| with |
with |
| .Cm ControlMaster |
.Cm ControlMaster |
| set to |
set to |
| .Dq no |
.Cm no |
| (the default). |
(the default). |
| These sessions will try to reuse the master instance's network connection |
These sessions will try to reuse the master instance's network connection |
| rather than initiating new ones, but will fall back to connecting normally |
rather than initiating new ones, but will fall back to connecting normally |
| if the control socket does not exist, or is not listening. |
if the control socket does not exist, or is not listening. |
| .Pp |
.Pp |
| Setting this to |
Setting this to |
| .Dq ask |
.Cm ask |
| will cause ssh |
will cause |
| |
.Xr ssh 1 |
| to listen for control connections, but require confirmation using |
to listen for control connections, but require confirmation using |
| .Xr ssh-askpass 1 . |
.Xr ssh-askpass 1 . |
| If the |
If the |
| .Cm ControlPath |
.Cm ControlPath |
| cannot be opened, |
cannot be opened, |
| ssh will continue without connecting to a master instance. |
.Xr ssh 1 |
| |
will continue without connecting to a master instance. |
| .Pp |
.Pp |
| X11 and |
X11 and |
| .Xr ssh-agent 1 |
.Xr ssh-agent 1 |
|
|
| master connection but fall back to creating a new one if one does not already |
master connection but fall back to creating a new one if one does not already |
| exist. |
exist. |
| These options are: |
These options are: |
| .Dq auto |
.Cm auto |
| and |
and |
| .Dq autoask . |
.Cm autoask . |
| The latter requires confirmation like the |
The latter requires confirmation like the |
| .Dq ask |
.Cm ask |
| option. |
option. |
| .It Cm ControlPath |
.It Cm ControlPath |
| Specify the path to the control socket used for connection sharing as described |
Specify the path to the control socket used for connection sharing as described |
| in the |
in the |
| .Cm ControlMaster |
.Cm ControlMaster |
| section above or the string |
section above or the string |
| .Dq none |
.Cm none |
| to disable connection sharing. |
to disable connection sharing. |
| Arguments to |
Arguments to |
| .Cm ControlPath |
.Cm ControlPath |
|
|
| in the background (waiting for future client connections) |
in the background (waiting for future client connections) |
| after the initial client connection has been closed. |
after the initial client connection has been closed. |
| If set to |
If set to |
| .Dq no , |
.Cm no , |
| then the master connection will not be placed into the background, |
then the master connection will not be placed into the background, |
| and will close as soon as the initial client connection is closed. |
and will close as soon as the initial client connection is closed. |
| If set to |
If set to |
| .Dq yes |
.Cm yes |
| or |
or 0, |
| .Dq 0 , |
|
| then the master connection will remain in the background indefinitely |
then the master connection will remain in the background indefinitely |
| (until killed or closed via a mechanism such as the |
(until killed or closed via a mechanism such as the |
| .Xr ssh 1 |
.Qq ssh -O exit ) . |
| .Dq Fl O No exit |
|
| option). |
|
| If set to a time in seconds, or a time in any of the formats documented in |
If set to a time in seconds, or a time in any of the formats documented in |
| .Xr sshd_config 5 , |
.Xr sshd_config 5 , |
| then the backgrounded master connection will automatically terminate |
then the backgrounded master connection will automatically terminate |
|
|
| The |
The |
| .Ar bind_address |
.Ar bind_address |
| of |
of |
| .Dq localhost |
.Cm localhost |
| indicates that the listening port be bound for local use only, while an |
indicates that the listening port be bound for local use only, while an |
| empty address or |
empty address or |
| .Sq * |
.Sq * |
|
|
| Only the superuser can forward privileged ports. |
Only the superuser can forward privileged ports. |
| .It Cm EnableSSHKeysign |
.It Cm EnableSSHKeysign |
| Setting this option to |
Setting this option to |
| .Dq yes |
.Cm yes |
| in the global client configuration file |
in the global client configuration file |
| .Pa /etc/ssh/ssh_config |
.Pa /etc/ssh/ssh_config |
| enables the use of the helper program |
enables the use of the helper program |
|
|
| during |
during |
| .Cm HostbasedAuthentication . |
.Cm HostbasedAuthentication . |
| The argument must be |
The argument must be |
| .Dq yes |
.Cm yes |
| or |
or |
| .Dq no . |
.Cm no |
| The default is |
(the default). |
| .Dq no . |
|
| This option should be placed in the non-hostspecific section. |
This option should be placed in the non-hostspecific section. |
| See |
See |
| .Xr ssh-keysign 8 |
.Xr ssh-keysign 8 |
|
|
| The argument should be a single character, |
The argument should be a single character, |
| .Ql ^ |
.Ql ^ |
| followed by a letter, or |
followed by a letter, or |
| .Dq none |
.Cm none |
| to disable the escape |
to disable the escape |
| character entirely (making the connection transparent for binary |
character entirely (making the connection transparent for binary |
| data). |
data). |
|
|
| .Xr ssh 1 |
.Xr ssh 1 |
| to exit if TCP connections to the ultimate forwarding destination fail. |
to exit if TCP connections to the ultimate forwarding destination fail. |
| The argument must be |
The argument must be |
| .Dq yes |
.Cm yes |
| or |
or |
| .Dq no . |
.Cm no |
| The default is |
(the default). |
| .Dq no . |
|
| .It Cm FingerprintHash |
.It Cm FingerprintHash |
| Specifies the hash algorithm used when displaying key fingerprints. |
Specifies the hash algorithm used when displaying key fingerprints. |
| Valid options are: |
Valid options are: |
| .Dq md5 |
.Cm md5 |
| and |
and |
| .Dq sha256 . |
.Cm sha256 |
| The default is |
(the default). |
| .Dq sha256 . |
|
| .It Cm ForwardAgent |
.It Cm ForwardAgent |
| Specifies whether the connection to the authentication agent (if any) |
Specifies whether the connection to the authentication agent (if any) |
| will be forwarded to the remote machine. |
will be forwarded to the remote machine. |
| The argument must be |
The argument must be |
| .Dq yes |
.Cm yes |
| or |
or |
| .Dq no . |
.Cm no |
| The default is |
(the default). |
| .Dq no . |
|
| .Pp |
.Pp |
| Agent forwarding should be enabled with caution. |
Agent forwarding should be enabled with caution. |
| Users with the ability to bypass file permissions on the remote host |
Users with the ability to bypass file permissions on the remote host |
|
|
| .Ev DISPLAY |
.Ev DISPLAY |
| set. |
set. |
| The argument must be |
The argument must be |
| .Dq yes |
.Cm yes |
| or |
or |
| .Dq no . |
.Cm no |
| The default is |
(the default). |
| .Dq no . |
|
| .Pp |
.Pp |
| X11 forwarding should be enabled with caution. |
X11 forwarding should be enabled with caution. |
| Users with the ability to bypass file permissions on the remote host |
Users with the ability to bypass file permissions on the remote host |
|
|
| .It Cm ForwardX11Timeout |
.It Cm ForwardX11Timeout |
| Specify a timeout for untrusted X11 forwarding |
Specify a timeout for untrusted X11 forwarding |
| using the format described in the |
using the format described in the |
| TIME FORMATS section of |
.Sx TIME FORMATS |
| |
section of |
| .Xr sshd_config 5 . |
.Xr sshd_config 5 . |
| X11 connections received by |
X11 connections received by |
| .Xr ssh 1 |
.Xr ssh 1 |
|
|
| elapsed. |
elapsed. |
| .It Cm ForwardX11Trusted |
.It Cm ForwardX11Trusted |
| If this option is set to |
If this option is set to |
| .Dq yes , |
.Cm yes , |
| remote X11 clients will have full access to the original X11 display. |
remote X11 clients will have full access to the original X11 display. |
| .Pp |
.Pp |
| If this option is set to |
If this option is set to |
| .Dq no , |
.Cm no |
| |
(the default), |
| remote X11 clients will be considered untrusted and prevented |
remote X11 clients will be considered untrusted and prevented |
| from stealing or tampering with data belonging to trusted X11 |
from stealing or tampering with data belonging to trusted X11 |
| clients. |
clients. |
|
|
| token used for the session will be set to expire after 20 minutes. |
token used for the session will be set to expire after 20 minutes. |
| Remote clients will be refused access after this time. |
Remote clients will be refused access after this time. |
| .Pp |
.Pp |
| The default is |
|
| .Dq no . |
|
| .Pp |
|
| See the X11 SECURITY extension specification for full details on |
See the X11 SECURITY extension specification for full details on |
| the restrictions imposed on untrusted clients. |
the restrictions imposed on untrusted clients. |
| .It Cm GatewayPorts |
.It Cm GatewayPorts |
|
|
| should bind local port forwardings to the wildcard address, |
should bind local port forwardings to the wildcard address, |
| thus allowing remote hosts to connect to forwarded ports. |
thus allowing remote hosts to connect to forwarded ports. |
| The argument must be |
The argument must be |
| .Dq yes |
.Cm yes |
| or |
or |
| .Dq no . |
.Cm no |
| The default is |
(the default). |
| .Dq no . |
|
| .It Cm GlobalKnownHostsFile |
.It Cm GlobalKnownHostsFile |
| Specifies one or more files to use for the global |
Specifies one or more files to use for the global |
| host key database, separated by whitespace. |
host key database, separated by whitespace. |
|
|
| .It Cm GSSAPIAuthentication |
.It Cm GSSAPIAuthentication |
| Specifies whether user authentication based on GSSAPI is allowed. |
Specifies whether user authentication based on GSSAPI is allowed. |
| The default is |
The default is |
| .Dq no . |
.Cm no . |
| .It Cm GSSAPIDelegateCredentials |
.It Cm GSSAPIDelegateCredentials |
| Forward (delegate) credentials to the server. |
Forward (delegate) credentials to the server. |
| The default is |
The default is |
| .Dq no . |
.Cm no . |
| .It Cm HashKnownHosts |
.It Cm HashKnownHosts |
| Indicates that |
Indicates that |
| .Xr ssh 1 |
.Xr ssh 1 |
|
|
| but they do not reveal identifying information should the file's contents |
but they do not reveal identifying information should the file's contents |
| be disclosed. |
be disclosed. |
| The default is |
The default is |
| .Dq no . |
.Cm no . |
| Note that existing names and addresses in known hosts files |
Note that existing names and addresses in known hosts files |
| will not be converted automatically, |
will not be converted automatically, |
| but may be manually hashed using |
but may be manually hashed using |
|
|
| Specifies whether to try rhosts based authentication with public key |
Specifies whether to try rhosts based authentication with public key |
| authentication. |
authentication. |
| The argument must be |
The argument must be |
| .Dq yes |
.Cm yes |
| or |
or |
| .Dq no . |
.Cm no |
| The default is |
(the default). |
| .Dq no . |
|
| .It Cm HostbasedKeyTypes |
.It Cm HostbasedKeyTypes |
| Specifies the key types that will be used for hostbased authentication |
Specifies the key types that will be used for hostbased authentication |
| as a comma-separated pattern list. |
as a comma-separated pattern list. |
|
|
| If hostkeys are known for the destination host then this default is modified |
If hostkeys are known for the destination host then this default is modified |
| to prefer their algorithms. |
to prefer their algorithms. |
| .Pp |
.Pp |
| The list of available key types may also be obtained using the |
The list of available key types may also be obtained using |
| .Fl Q |
.Qq ssh -Q key . |
| option of |
|
| .Xr ssh 1 |
|
| with an argument of |
|
| .Dq key . |
|
| .It Cm HostKeyAlias |
.It Cm HostKeyAlias |
| Specifies an alias that should be used instead of the |
Specifies an alias that should be used instead of the |
| real host name when looking up or saving the host key |
real host name when looking up or saving the host key |
|
|
| .Cm PKCS11Provider |
.Cm PKCS11Provider |
| offers more identities. |
offers more identities. |
| The argument to this keyword must be |
The argument to this keyword must be |
| .Dq yes |
.Cm yes |
| or |
or |
| .Dq no . |
.Cm no |
| |
(the default). |
| This option is intended for situations where ssh-agent |
This option is intended for situations where ssh-agent |
| offers many different identities. |
offers many different identities. |
| The default is |
|
| .Dq no . |
|
| .It Cm IdentityAgent |
.It Cm IdentityAgent |
| Specifies the |
Specifies the |
| .Ux Ns -domain |
.Ux Ns -domain |
| socket used to communicate with the authentication agent. |
socket used to communicate with the authentication agent. |
| .Pp |
.Pp |
| This option overrides the |
This option overrides the |
| .Dq SSH_AUTH_SOCK |
.Ev SSH_AUTH_SOCK |
| environment variable and can be used to select a specific agent. |
environment variable and can be used to select a specific agent. |
| Setting the socket name to |
Setting the socket name to |
| .Dq none |
.Cm none |
| disables the use of an authentication agent. |
disables the use of an authentication agent. |
| If the string |
If the string |
| .Dq SSH_AUTH_SOCK |
.Qq SSH_AUTH_SOCK |
| is specified, the location of the socket will be read from the |
is specified, the location of the socket will be read from the |
| .Ev SSH_AUTH_SOCK |
.Ev SSH_AUTH_SOCK |
| environment variable. |
environment variable. |
|
|
| Multiple pathnames may be specified and each pathname may contain |
Multiple pathnames may be specified and each pathname may contain |
| .Xr glob 3 |
.Xr glob 3 |
| wildcards and, for user configurations, shell-like |
wildcards and, for user configurations, shell-like |
| .Dq ~ |
.Sq ~ |
| references to user home directories. |
references to user home directories. |
| Files without absolute paths are assumed to be in |
Files without absolute paths are assumed to be in |
| .Pa ~/.ssh |
.Pa ~/.ssh |
|
|
| .It Cm IPQoS |
.It Cm IPQoS |
| Specifies the IPv4 type-of-service or DSCP class for connections. |
Specifies the IPv4 type-of-service or DSCP class for connections. |
| Accepted values are |
Accepted values are |
| .Dq af11 , |
.Cm af11 , |
| .Dq af12 , |
.Cm af12 , |
| .Dq af13 , |
.Cm af13 , |
| .Dq af21 , |
.Cm af21 , |
| .Dq af22 , |
.Cm af22 , |
| .Dq af23 , |
.Cm af23 , |
| .Dq af31 , |
.Cm af31 , |
| .Dq af32 , |
.Cm af32 , |
| .Dq af33 , |
.Cm af33 , |
| .Dq af41 , |
.Cm af41 , |
| .Dq af42 , |
.Cm af42 , |
| .Dq af43 , |
.Cm af43 , |
| .Dq cs0 , |
.Cm cs0 , |
| .Dq cs1 , |
.Cm cs1 , |
| .Dq cs2 , |
.Cm cs2 , |
| .Dq cs3 , |
.Cm cs3 , |
| .Dq cs4 , |
.Cm cs4 , |
| .Dq cs5 , |
.Cm cs5 , |
| .Dq cs6 , |
.Cm cs6 , |
| .Dq cs7 , |
.Cm cs7 , |
| .Dq ef , |
.Cm ef , |
| .Dq lowdelay , |
.Cm lowdelay , |
| .Dq throughput , |
.Cm throughput , |
| .Dq reliability , |
.Cm reliability , |
| or a numeric value. |
or a numeric value. |
| This option may take one or two arguments, separated by whitespace. |
This option may take one or two arguments, separated by whitespace. |
| If one argument is specified, it is used as the packet class unconditionally. |
If one argument is specified, it is used as the packet class unconditionally. |
| If two values are specified, the first is automatically selected for |
If two values are specified, the first is automatically selected for |
| interactive sessions and the second for non-interactive sessions. |
interactive sessions and the second for non-interactive sessions. |
| The default is |
The default is |
| .Dq lowdelay |
.Cm lowdelay |
| for interactive sessions and |
for interactive sessions and |
| .Dq throughput |
.Cm throughput |
| for non-interactive sessions. |
for non-interactive sessions. |
| .It Cm KbdInteractiveAuthentication |
.It Cm KbdInteractiveAuthentication |
| Specifies whether to use keyboard-interactive authentication. |
Specifies whether to use keyboard-interactive authentication. |
| The argument to this keyword must be |
The argument to this keyword must be |
| .Dq yes |
.Cm yes |
| |
(the default) |
| or |
or |
| .Dq no . |
.Cm no . |
| The default is |
|
| .Dq yes . |
|
| .It Cm KbdInteractiveDevices |
.It Cm KbdInteractiveDevices |
| Specifies the list of methods to use in keyboard-interactive authentication. |
Specifies the list of methods to use in keyboard-interactive authentication. |
| Multiple method names must be comma-separated. |
Multiple method names must be comma-separated. |
|
|
| The methods available vary depending on what the server supports. |
The methods available vary depending on what the server supports. |
| For an OpenSSH server, |
For an OpenSSH server, |
| it may be zero or more of: |
it may be zero or more of: |
| .Dq bsdauth , |
.Cm bsdauth , |
| .Dq pam , |
.Cm pam , |
| and |
and |
| .Dq skey . |
.Cm skey . |
| .It Cm KexAlgorithms |
.It Cm KexAlgorithms |
| Specifies the available KEX (Key Exchange) algorithms. |
Specifies the available KEX (Key Exchange) algorithms. |
| Multiple algorithms must be comma-separated. |
Multiple algorithms must be comma-separated. |
|
|
| diffie-hellman-group14-sha1 |
diffie-hellman-group14-sha1 |
| .Ed |
.Ed |
| .Pp |
.Pp |
| The list of available key exchange algorithms may also be obtained using the |
The list of available key exchange algorithms may also be obtained using |
| .Fl Q |
.Qq ssh -Q kex . |
| option of |
|
| .Xr ssh 1 |
|
| with an argument of |
|
| .Dq kex . |
|
| .It Cm LocalCommand |
.It Cm LocalCommand |
| Specifies a command to execute on the local machine after successfully |
Specifies a command to execute on the local machine after successfully |
| connecting to the server. |
connecting to the server. |
|
|
| The |
The |
| .Ar bind_address |
.Ar bind_address |
| of |
of |
| .Dq localhost |
.Cm localhost |
| indicates that the listening port be bound for local use only, while an |
indicates that the listening port be bound for local use only, while an |
| empty address or |
empty address or |
| .Sq * |
.Sq * |
|
|
| instead of replacing them. |
instead of replacing them. |
| .Pp |
.Pp |
| The algorithms that contain |
The algorithms that contain |
| .Dq -etm |
.Qq -etm |
| calculate the MAC after encryption (encrypt-then-mac). |
calculate the MAC after encryption (encrypt-then-mac). |
| These are considered safer and their use recommended. |
These are considered safer and their use recommended. |
| .Pp |
.Pp |
|
|
| hmac-sha2-256,hmac-sha2-512,hmac-sha1 |
hmac-sha2-256,hmac-sha2-512,hmac-sha1 |
| .Ed |
.Ed |
| .Pp |
.Pp |
| The list of available MAC algorithms may also be obtained using the |
The list of available MAC algorithms may also be obtained using |
| .Fl Q |
.Qq ssh -Q mac . |
| option of |
|
| .Xr ssh 1 |
|
| with an argument of |
|
| .Dq mac . |
|
| .It Cm NoHostAuthenticationForLocalhost |
.It Cm NoHostAuthenticationForLocalhost |
| This option can be used if the home directory is shared across machines. |
This option can be used if the home directory is shared across machines. |
| In this case localhost will refer to a different machine on each of |
In this case localhost will refer to a different machine on each of |
| the machines and the user will get many warnings about changed host keys. |
the machines and the user will get many warnings about changed host keys. |
| However, this option disables host authentication for localhost. |
However, this option disables host authentication for localhost. |
| The argument to this keyword must be |
The argument to this keyword must be |
| .Dq yes |
.Cm yes |
| or |
or |
| .Dq no . |
.Cm no . |
| The default is to check the host key for localhost. |
(the default). |
| .It Cm NumberOfPasswordPrompts |
.It Cm NumberOfPasswordPrompts |
| Specifies the number of password prompts before giving up. |
Specifies the number of password prompts before giving up. |
| The argument to this keyword must be an integer. |
The argument to this keyword must be an integer. |
|
|
| .It Cm PasswordAuthentication |
.It Cm PasswordAuthentication |
| Specifies whether to use password authentication. |
Specifies whether to use password authentication. |
| The argument to this keyword must be |
The argument to this keyword must be |
| .Dq yes |
.Cm yes |
| |
(the default) |
| or |
or |
| .Dq no . |
.Cm no . |
| The default is |
|
| .Dq yes . |
|
| .It Cm PermitLocalCommand |
.It Cm PermitLocalCommand |
| Allow local command execution via the |
Allow local command execution via the |
| .Ic LocalCommand |
.Ic LocalCommand |
|
|
| escape sequence in |
escape sequence in |
| .Xr ssh 1 . |
.Xr ssh 1 . |
| The argument must be |
The argument must be |
| .Dq yes |
.Cm yes |
| or |
or |
| .Dq no . |
.Cm no |
| The default is |
(the default). |
| .Dq no . |
|
| .It Cm PKCS11Provider |
.It Cm PKCS11Provider |
| Specifies which PKCS#11 provider to use. |
Specifies which PKCS#11 provider to use. |
| The argument to this keyword is the PKCS#11 shared library |
The argument to this keyword is the PKCS#11 shared library |
|
|
| Specifies the protocol versions |
Specifies the protocol versions |
| .Xr ssh 1 |
.Xr ssh 1 |
| should support in order of preference. |
should support in order of preference. |
| The possible values are |
The possible values are 1 and 2. |
| .Sq 1 |
|
| and |
|
| .Sq 2 . |
|
| Multiple versions must be comma-separated. |
Multiple versions must be comma-separated. |
| When this option is set to |
When this option is set to |
| .Dq 2,1 |
.Cm 2,1 |
| .Nm ssh |
.Nm ssh |
| will try version 2 and fall back to version 1 |
will try version 2 and fall back to version 1 |
| if version 2 is not available. |
if version 2 is not available. |
| The default is |
The default is version 2. |
| .Sq 2 . |
|
| Protocol 1 suffers from a number of cryptographic weaknesses and should |
Protocol 1 suffers from a number of cryptographic weaknesses and should |
| not be used. |
not be used. |
| It is only offered to support legacy devices. |
It is only offered to support legacy devices. |
|
|
| HostName of the host being connected (defaulting to the name typed by |
HostName of the host being connected (defaulting to the name typed by |
| the user). |
the user). |
| Setting the command to |
Setting the command to |
| .Dq none |
.Cm none |
| disables this option entirely. |
disables this option entirely. |
| Note that |
Note that |
| .Cm CheckHostIP |
.Cm CheckHostIP |
|
|
| .Xr ssh 1 |
.Xr ssh 1 |
| instead of continuing to execute and pass data. |
instead of continuing to execute and pass data. |
| The default is |
The default is |
| .Dq no . |
.Cm no . |
| .It Cm PubkeyAcceptedKeyTypes |
.It Cm PubkeyAcceptedKeyTypes |
| Specifies the key types that will be used for public key authentication |
Specifies the key types that will be used for public key authentication |
| as a comma-separated pattern list. |
as a comma-separated pattern list. |
|
|
| ssh-ed25519,ssh-rsa |
ssh-ed25519,ssh-rsa |
| .Ed |
.Ed |
| .Pp |
.Pp |
| The |
The list of available key types may also be obtained using |
| .Fl Q |
.Qq ssh -Q key . |
| option of |
|
| .Xr ssh 1 |
|
| may be used to list supported key types. |
|
| .It Cm PubkeyAuthentication |
.It Cm PubkeyAuthentication |
| Specifies whether to try public key authentication. |
Specifies whether to try public key authentication. |
| The argument to this keyword must be |
The argument to this keyword must be |
| .Dq yes |
.Cm yes |
| |
(the default) |
| or |
or |
| .Dq no . |
.Cm no . |
| The default is |
|
| .Dq yes . |
|
| .It Cm RekeyLimit |
.It Cm RekeyLimit |
| Specifies the maximum amount of data that may be transmitted before the |
Specifies the maximum amount of data that may be transmitted before the |
| session key is renegotiated, optionally followed a maximum amount of |
session key is renegotiated, optionally followed a maximum amount of |
|
|
| depending on the cipher. |
depending on the cipher. |
| The optional second value is specified in seconds and may use any of the |
The optional second value is specified in seconds and may use any of the |
| units documented in the |
units documented in the |
| TIME FORMATS section of |
.Sx TIME FORMATS |
| |
section of |
| .Xr sshd_config 5 . |
.Xr sshd_config 5 . |
| The default value for |
The default value for |
| .Cm RekeyLimit |
.Cm RekeyLimit |
| is |
is |
| .Dq default none , |
.Cm default none , |
| which means that rekeying is performed after the cipher's default amount |
which means that rekeying is performed after the cipher's default amount |
| of data has been sent or received and no time based rekeying is done. |
of data has been sent or received and no time based rekeying is done. |
| .It Cm RemoteForward |
.It Cm RemoteForward |
|
|
| .Pp |
.Pp |
| If the |
If the |
| .Ar port |
.Ar port |
| argument is |
argument is 0, |
| .Ql 0 , |
|
| the listen port will be dynamically allocated on the server and reported |
the listen port will be dynamically allocated on the server and reported |
| to the client at run time. |
to the client at run time. |
| .Pp |
.Pp |
|
|
| .It Cm RequestTTY |
.It Cm RequestTTY |
| Specifies whether to request a pseudo-tty for the session. |
Specifies whether to request a pseudo-tty for the session. |
| The argument may be one of: |
The argument may be one of: |
| .Dq no |
.Cm no |
| (never request a TTY), |
(never request a TTY), |
| .Dq yes |
.Cm yes |
| (always request a TTY when standard input is a TTY), |
(always request a TTY when standard input is a TTY), |
| .Dq force |
.Cm force |
| (always request a TTY) or |
(always request a TTY) or |
| .Dq auto |
.Cm auto |
| (request a TTY when opening a login session). |
(request a TTY when opening a login session). |
| This option mirrors the |
This option mirrors the |
| .Fl t |
.Fl t |
|
|
| Specifies whether to try rhosts based authentication with RSA host |
Specifies whether to try rhosts based authentication with RSA host |
| authentication. |
authentication. |
| The argument must be |
The argument must be |
| .Dq yes |
.Cm yes |
| or |
or |
| .Dq no . |
.Cm no |
| The default is |
(the default). |
| .Dq no . |
|
| This option applies to protocol version 1 only and requires |
This option applies to protocol version 1 only and requires |
| .Xr ssh 1 |
.Xr ssh 1 |
| to be setuid root. |
to be setuid root. |
| .It Cm RSAAuthentication |
.It Cm RSAAuthentication |
| Specifies whether to try RSA authentication. |
Specifies whether to try RSA authentication. |
| The argument to this keyword must be |
The argument to this keyword must be |
| .Dq yes |
.Cm yes |
| |
(the default) |
| or |
or |
| .Dq no . |
.Cm no . |
| RSA authentication will only be |
RSA authentication will only be |
| attempted if the identity file exists, or an authentication agent is |
attempted if the identity file exists, or an authentication agent is |
| running. |
running. |
| The default is |
|
| .Dq yes . |
|
| Note that this option applies to protocol version 1 only. |
Note that this option applies to protocol version 1 only. |
| .It Cm SendEnv |
.It Cm SendEnv |
| Specifies what variables from the local |
Specifies what variables from the local |
|
|
| This option is only used for port forwarding to a Unix-domain socket file. |
This option is only used for port forwarding to a Unix-domain socket file. |
| .Pp |
.Pp |
| The argument must be |
The argument must be |
| .Dq yes |
.Cm yes |
| or |
or |
| .Dq no . |
.Cm no |
| The default is |
(the default). |
| .Dq no . |
|
| .It Cm StrictHostKeyChecking |
.It Cm StrictHostKeyChecking |
| If this flag is set to |
If this flag is set to |
| .Dq yes , |
.Cm yes , |
| .Xr ssh 1 |
.Xr ssh 1 |
| will never automatically add host keys to the |
will never automatically add host keys to the |
| .Pa ~/.ssh/known_hosts |
.Pa ~/.ssh/known_hosts |
|
|
| This option forces the user to manually |
This option forces the user to manually |
| add all new hosts. |
add all new hosts. |
| If this flag is set to |
If this flag is set to |
| .Dq no , |
.Cm no , |
| ssh will automatically add new host keys to the |
ssh will automatically add new host keys to the |
| user known hosts files. |
user known hosts files. |
| If this flag is set to |
If this flag is set to |
| .Dq ask , |
.Cm ask |
| |
(the default), |
| new host keys |
new host keys |
| will be added to the user known host files only after the user |
will be added to the user known host files only after the user |
| has confirmed that is what they really want to do, and |
has confirmed that is what they really want to do, and |
| ssh will refuse to connect to hosts whose host key has changed. |
ssh will refuse to connect to hosts whose host key has changed. |
| The host keys of |
The host keys of |
| known hosts will be verified automatically in all cases. |
known hosts will be verified automatically in all cases. |
| The argument must be |
|
| .Dq yes , |
|
| .Dq no , |
|
| or |
|
| .Dq ask . |
|
| The default is |
|
| .Dq ask . |
|
| .It Cm TCPKeepAlive |
.It Cm TCPKeepAlive |
| Specifies whether the system should send TCP keepalive messages to the |
Specifies whether the system should send TCP keepalive messages to the |
| other side. |
other side. |
|
|
| find it annoying. |
find it annoying. |
| .Pp |
.Pp |
| The default is |
The default is |
| .Dq yes |
.Cm yes |
| (to send TCP keepalive messages), and the client will notice |
(to send TCP keepalive messages), and the client will notice |
| if the network goes down or the remote host dies. |
if the network goes down or the remote host dies. |
| This is important in scripts, and many users want it too. |
This is important in scripts, and many users want it too. |
| .Pp |
.Pp |
| To disable TCP keepalive messages, the value should be set to |
To disable TCP keepalive messages, the value should be set to |
| .Dq no . |
.Cm no . |
| .It Cm Tunnel |
.It Cm Tunnel |
| Request |
Request |
| .Xr tun 4 |
.Xr tun 4 |
| device forwarding between the client and the server. |
device forwarding between the client and the server. |
| The argument must be |
The argument must be |
| .Dq yes , |
.Cm yes , |
| .Dq point-to-point |
.Cm point-to-point |
| (layer 3), |
(layer 3), |
| .Dq ethernet |
.Cm ethernet |
| (layer 2), |
(layer 2), |
| or |
or |
| .Dq no . |
.Cm no |
| |
(the default). |
| Specifying |
Specifying |
| .Dq yes |
.Cm yes |
| requests the default tunnel mode, which is |
requests the default tunnel mode, which is |
| .Dq point-to-point . |
.Cm point-to-point . |
| The default is |
|
| .Dq no . |
|
| .It Cm TunnelDevice |
.It Cm TunnelDevice |
| Specifies the |
Specifies the |
| .Xr tun 4 |
.Xr tun 4 |
|
|
| .Ar local_tun Op : Ar remote_tun . |
.Ar local_tun Op : Ar remote_tun . |
| .Sm on |
.Sm on |
| The devices may be specified by numerical ID or the keyword |
The devices may be specified by numerical ID or the keyword |
| .Dq any , |
.Cm any , |
| which uses the next available tunnel device. |
which uses the next available tunnel device. |
| If |
If |
| .Ar remote_tun |
.Ar remote_tun |
| is not specified, it defaults to |
is not specified, it defaults to |
| .Dq any . |
.Cm any . |
| The default is |
The default is |
| .Dq any:any . |
.Cm any:any . |
| .It Cm UpdateHostKeys |
.It Cm UpdateHostKeys |
| Specifies whether |
Specifies whether |
| .Xr ssh 1 |
.Xr ssh 1 |
|
|
| after authentication has completed and add them to |
after authentication has completed and add them to |
| .Cm UserKnownHostsFile . |
.Cm UserKnownHostsFile . |
| The argument must be |
The argument must be |
| .Dq yes , |
.Cm yes , |
| .Dq no |
.Cm no |
| (the default) or |
(the default) or |
| .Dq ask . |
.Cm ask . |
| Enabling this option allows learning alternate hostkeys for a server |
Enabling this option allows learning alternate hostkeys for a server |
| and supports graceful key rotation by allowing a server to send replacement |
and supports graceful key rotation by allowing a server to send replacement |
| public keys before old ones are removed. |
public keys before old ones are removed. |
|
|
| If |
If |
| .Cm UpdateHostKeys |
.Cm UpdateHostKeys |
| is set to |
is set to |
| .Dq ask , |
.Cm ask , |
| then the user is asked to confirm the modifications to the known_hosts file. |
then the user is asked to confirm the modifications to the known_hosts file. |
| Confirmation is currently incompatible with |
Confirmation is currently incompatible with |
| .Cm ControlPersist , |
.Cm ControlPersist , |
|
|
| Presently, only |
Presently, only |
| .Xr sshd 8 |
.Xr sshd 8 |
| from OpenSSH 6.8 and greater support the |
from OpenSSH 6.8 and greater support the |
| .Dq hostkeys@openssh.com |
.Qq hostkeys@openssh.com |
| protocol extension used to inform the client of all the server's hostkeys. |
protocol extension used to inform the client of all the server's hostkeys. |
| .It Cm UsePrivilegedPort |
.It Cm UsePrivilegedPort |
| Specifies whether to use a privileged port for outgoing connections. |
Specifies whether to use a privileged port for outgoing connections. |
| The argument must be |
The argument must be |
| .Dq yes |
.Cm yes |
| or |
or |
| .Dq no . |
.Cm no |
| The default is |
(the default). |
| .Dq no . |
|
| If set to |
If set to |
| .Dq yes , |
.Cm yes , |
| .Xr ssh 1 |
.Xr ssh 1 |
| must be setuid root. |
must be setuid root. |
| Note that this option must be set to |
Note that this option must be set to |
| .Dq yes |
.Cm yes |
| for |
for |
| .Cm RhostsRSAAuthentication |
.Cm RhostsRSAAuthentication |
| with older servers. |
with older servers. |
|
|
| Specifies whether to verify the remote key using DNS and SSHFP resource |
Specifies whether to verify the remote key using DNS and SSHFP resource |
| records. |
records. |
| If this option is set to |
If this option is set to |
| .Dq yes , |
.Cm yes , |
| the client will implicitly trust keys that match a secure fingerprint |
the client will implicitly trust keys that match a secure fingerprint |
| from DNS. |
from DNS. |
| Insecure fingerprints will be handled as if this option was set to |
Insecure fingerprints will be handled as if this option was set to |
| .Dq ask . |
.Cm ask . |
| If this option is set to |
If this option is set to |
| .Dq ask , |
.Cm ask , |
| information on fingerprint match will be displayed, but the user will still |
information on fingerprint match will be displayed, but the user will still |
| need to confirm new host keys according to the |
need to confirm new host keys according to the |
| .Cm StrictHostKeyChecking |
.Cm StrictHostKeyChecking |
| option. |
option. |
| The argument must be |
|
| .Dq yes , |
|
| .Dq no , |
|
| or |
|
| .Dq ask . |
|
| The default is |
The default is |
| .Dq no . |
.Cm no . |
| .Pp |
.Pp |
| See also VERIFYING HOST KEYS in |
See also |
| |
.Sx VERIFYING HOST KEYS |
| |
in |
| .Xr ssh 1 . |
.Xr ssh 1 . |
| .It Cm VisualHostKey |
.It Cm VisualHostKey |
| If this flag is set to |
If this flag is set to |
| .Dq yes , |
.Cm yes , |
| an ASCII art representation of the remote host key fingerprint is |
an ASCII art representation of the remote host key fingerprint is |
| printed in addition to the fingerprint string at login and |
printed in addition to the fingerprint string at login and |
| for unknown host keys. |
for unknown host keys. |
| If this flag is set to |
If this flag is set to |
| .Dq no , |
.Cm no |
| |
(the default), |
| no fingerprint strings are printed at login and |
no fingerprint strings are printed at login and |
| only the fingerprint string will be printed for unknown host keys. |
only the fingerprint string will be printed for unknown host keys. |
| The default is |
|
| .Dq no . |
|
| .It Cm XAuthLocation |
.It Cm XAuthLocation |
| Specifies the full pathname of the |
Specifies the full pathname of the |
| .Xr xauth 1 |
.Xr xauth 1 |
|
|
| .Sq ?\& |
.Sq ?\& |
| (a wildcard that matches exactly one character). |
(a wildcard that matches exactly one character). |
| For example, to specify a set of declarations for any host in the |
For example, to specify a set of declarations for any host in the |
| .Dq .co.uk |
.Qq .co.uk |
| set of domains, |
set of domains, |
| the following pattern could be used: |
the following pattern could be used: |
| .Pp |
.Pp |
|
|
| For example, |
For example, |
| to allow a key to be used from anywhere within an organization |
to allow a key to be used from anywhere within an organization |
| except from the |
except from the |
| .Dq dialup |
.Qq dialup |
| pool, |
pool, |
| the following entry (in authorized_keys) could be used: |
the following entry (in authorized_keys) could be used: |
| .Pp |
.Pp |
|
|
| .Sh SEE ALSO |
.Sh SEE ALSO |
| .Xr ssh 1 |
.Xr ssh 1 |
| .Sh AUTHORS |
.Sh AUTHORS |
| |
.An -nosplit |
| OpenSSH is a derivative of the original and free |
OpenSSH is a derivative of the original and free |
| ssh 1.2.12 release by Tatu Ylonen. |
ssh 1.2.12 release by |
| Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, |
.An Tatu Ylonen . |
| Theo de Raadt and Dug Song |
.An Aaron Campbell , Bob Beck , Markus Friedl , |
| |
.An Niels Provos , Theo de Raadt |
| |
and |
| |
.An Dug Song |
| removed many bugs, re-added newer features and |
removed many bugs, re-added newer features and |
| created OpenSSH. |
created OpenSSH. |
| Markus Friedl contributed the support for SSH |
.An Markus Friedl |
| protocol versions 1.5 and 2.0. |
contributed the support for SSH protocol versions 1.5 and 2.0. |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh_config.5 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh