version 1.239, 2016/09/28 17:59:22 |
version 1.240, 2016/10/15 19:56:25 |
|
|
For each parameter, the first obtained value |
For each parameter, the first obtained value |
will be used. |
will be used. |
The configuration files contain sections separated by |
The configuration files contain sections separated by |
.Dq Host |
.Cm Host |
specifications, and that section is only applied for hosts that |
specifications, and that section is only applied for hosts that |
match one of the patterns given in the specification. |
match one of the patterns given in the specification. |
The matched host name is usually the one given on the command line |
The matched host name is usually the one given on the command line |
(see the |
(see the |
.Cm CanonicalizeHostname |
.Cm CanonicalizeHostname |
option for exceptions.) |
option for exceptions). |
.Pp |
.Pp |
Since the first obtained value for each parameter is used, more |
Since the first obtained value for each parameter is used, more |
host-specific declarations should be given near the beginning of the |
host-specific declarations should be given near the beginning of the |
file, and general defaults at the end. |
file, and general defaults at the end. |
.Pp |
.Pp |
The configuration file has the following format: |
The file contains keyword-argument pairs, one per line. |
.Pp |
Lines starting with |
Empty lines and lines starting with |
|
.Ql # |
.Ql # |
are comments. |
and empty lines are interpreted as comments. |
Otherwise a line is of the format |
Arguments may optionally be enclosed in double quotes |
.Dq keyword arguments . |
.Pq \&" |
|
in order to represent arguments containing spaces. |
Configuration options may be separated by whitespace or |
Configuration options may be separated by whitespace or |
optional whitespace and exactly one |
optional whitespace and exactly one |
.Ql = ; |
.Ql = ; |
|
|
.Nm sftp |
.Nm sftp |
.Fl o |
.Fl o |
option. |
option. |
Arguments may optionally be enclosed in double quotes |
|
.Pq \&" |
|
in order to represent arguments containing spaces. |
|
.Pp |
.Pp |
The possible |
The possible |
keywords and their meanings are as follows (note that |
keywords and their meanings are as follows (note that |
|
|
argument given on the command line |
argument given on the command line |
(see the |
(see the |
.Cm CanonicalizeHostname |
.Cm CanonicalizeHostname |
option for exceptions.) |
keyword for exceptions). |
.Pp |
.Pp |
A pattern entry may be negated by prefixing it with an exclamation mark |
A pattern entry may be negated by prefixing it with an exclamation mark |
.Pq Sq !\& . |
.Pq Sq !\& . |
|
|
Specifies whether keys should be automatically added to a running |
Specifies whether keys should be automatically added to a running |
.Xr ssh-agent 1 . |
.Xr ssh-agent 1 . |
If this option is set to |
If this option is set to |
.Dq yes |
.Cm yes |
and a key is loaded from a file, the key and its passphrase are added to |
and a key is loaded from a file, the key and its passphrase are added to |
the agent with the default lifetime, as if by |
the agent with the default lifetime, as if by |
.Xr ssh-add 1 . |
.Xr ssh-add 1 . |
If this option is set to |
If this option is set to |
.Dq ask , |
.Cm ask , |
.Nm ssh |
.Xr ssh 1 |
will require confirmation using the |
will require confirmation using the |
.Ev SSH_ASKPASS |
.Ev SSH_ASKPASS |
program before adding a key (see |
program before adding a key (see |
.Xr ssh-add 1 |
.Xr ssh-add 1 |
for details). |
for details). |
If this option is set to |
If this option is set to |
.Dq confirm , |
.Cm confirm , |
each use of the key must be confirmed, as if the |
each use of the key must be confirmed, as if the |
.Fl c |
.Fl c |
option was specified to |
option was specified to |
.Xr ssh-add 1 . |
.Xr ssh-add 1 . |
If this option is set to |
If this option is set to |
.Dq no , |
.Cm no , |
no keys are added to the agent. |
no keys are added to the agent. |
The argument must be |
The argument must be |
.Dq yes , |
.Cm yes , |
.Dq confirm , |
.Cm confirm , |
.Dq ask , |
.Cm ask , |
or |
or |
.Dq no . |
.Cm no |
The default is |
(the default). |
.Dq no . |
|
.It Cm AddressFamily |
.It Cm AddressFamily |
Specifies which address family to use when connecting. |
Specifies which address family to use when connecting. |
Valid arguments are |
Valid arguments are |
.Dq any , |
.Cm any |
.Dq inet |
(the default), |
|
.Cm inet |
(use IPv4 only), or |
(use IPv4 only), or |
.Dq inet6 |
.Cm inet6 |
(use IPv6 only). |
(use IPv6 only). |
The default is |
|
.Dq any . |
|
.It Cm BatchMode |
.It Cm BatchMode |
If set to |
If set to |
.Dq yes , |
.Cm yes , |
passphrase/password querying will be disabled. |
passphrase/password querying will be disabled. |
This option is useful in scripts and other batch jobs where no user |
This option is useful in scripts and other batch jobs where no user |
is present to supply the password. |
is present to supply the password. |
The argument must be |
The argument must be |
.Dq yes |
.Cm yes |
or |
or |
.Dq no . |
.Cm no |
The default is |
(the default). |
.Dq no . |
|
.It Cm BindAddress |
.It Cm BindAddress |
Use the specified address on the local machine as the source address of |
Use the specified address on the local machine as the source address of |
the connection. |
the connection. |
|
|
Note that this option does not work if |
Note that this option does not work if |
.Cm UsePrivilegedPort |
.Cm UsePrivilegedPort |
is set to |
is set to |
.Dq yes . |
.Cm yes . |
.It Cm CanonicalDomains |
.It Cm CanonicalDomains |
When |
When |
.Cm CanonicalizeHostname |
.Cm CanonicalizeHostname |
|
|
.It Cm CanonicalizeFallbackLocal |
.It Cm CanonicalizeFallbackLocal |
Specifies whether to fail with an error when hostname canonicalization fails. |
Specifies whether to fail with an error when hostname canonicalization fails. |
The default, |
The default, |
.Dq yes , |
.Cm yes , |
will attempt to look up the unqualified hostname using the system resolver's |
will attempt to look up the unqualified hostname using the system resolver's |
search rules. |
search rules. |
A value of |
A value of |
.Dq no |
.Cm no |
will cause |
will cause |
.Xr ssh 1 |
.Xr ssh 1 |
to fail instantly if |
to fail instantly if |
|
|
.It Cm CanonicalizeHostname |
.It Cm CanonicalizeHostname |
Controls whether explicit hostname canonicalization is performed. |
Controls whether explicit hostname canonicalization is performed. |
The default, |
The default, |
.Dq no , |
.Cm no , |
is not to perform any name rewriting and let the system resolver handle all |
is not to perform any name rewriting and let the system resolver handle all |
hostname lookups. |
hostname lookups. |
If set to |
If set to |
.Dq yes |
.Cm yes |
then, for connections that do not use a |
then, for connections that do not use a |
.Cm ProxyCommand , |
.Cm ProxyCommand , |
.Xr ssh 1 |
.Xr ssh 1 |
|
|
If |
If |
.Cm CanonicalizeHostname |
.Cm CanonicalizeHostname |
is set to |
is set to |
.Dq always , |
.Cm always , |
then canonicalization is applied to proxied connections too. |
then canonicalization is applied to proxied connections too. |
.Pp |
.Pp |
If this option is enabled, then the configuration files are processed |
If this option is enabled, then the configuration files are processed |
|
|
.It Cm CanonicalizeMaxDots |
.It Cm CanonicalizeMaxDots |
Specifies the maximum number of dot characters in a hostname before |
Specifies the maximum number of dot characters in a hostname before |
canonicalization is disabled. |
canonicalization is disabled. |
The default, |
The default, 1, |
.Dq 1 , |
|
allows a single dot (i.e. hostname.subdomain). |
allows a single dot (i.e. hostname.subdomain). |
.It Cm CanonicalizePermittedCNAMEs |
.It Cm CanonicalizePermittedCNAMEs |
Specifies rules to determine whether CNAMEs should be followed when |
Specifies rules to determine whether CNAMEs should be followed when |
|
|
is a pattern-list of domains that they may resolve to. |
is a pattern-list of domains that they may resolve to. |
.Pp |
.Pp |
For example, |
For example, |
.Dq *.a.example.com:*.b.example.com,*.c.example.com |
.Qq *.a.example.com:*.b.example.com,*.c.example.com |
will allow hostnames matching |
will allow hostnames matching |
.Dq *.a.example.com |
.Qq *.a.example.com |
to be canonicalized to names in the |
to be canonicalized to names in the |
.Dq *.b.example.com |
.Qq *.b.example.com |
or |
or |
.Dq *.c.example.com |
.Qq *.c.example.com |
domains. |
domains. |
.It Cm CertificateFile |
.It Cm CertificateFile |
Specifies a file from which the user's certificate is read. |
Specifies a file from which the user's certificate is read. |
|
|
.It Cm ChallengeResponseAuthentication |
.It Cm ChallengeResponseAuthentication |
Specifies whether to use challenge-response authentication. |
Specifies whether to use challenge-response authentication. |
The argument to this keyword must be |
The argument to this keyword must be |
.Dq yes |
.Cm yes |
|
(the default) |
or |
or |
.Dq no . |
.Cm no . |
The default is |
|
.Dq yes . |
|
.It Cm CheckHostIP |
.It Cm CheckHostIP |
If this flag is set to |
If set to |
.Dq yes , |
.Cm yes |
|
(the default), |
.Xr ssh 1 |
.Xr ssh 1 |
will additionally check the host IP address in the |
will additionally check the host IP address in the |
.Pa known_hosts |
.Pa known_hosts |
file. |
file. |
This allows ssh to detect if a host key changed due to DNS spoofing |
This allows it to detect if a host key changed due to DNS spoofing |
and will add addresses of destination hosts to |
and will add addresses of destination hosts to |
.Pa ~/.ssh/known_hosts |
.Pa ~/.ssh/known_hosts |
in the process, regardless of the setting of |
in the process, regardless of the setting of |
.Cm StrictHostKeyChecking . |
.Cm StrictHostKeyChecking . |
If the option is set to |
If the option is set to |
.Dq no , |
.Cm no , |
the check will not be executed. |
the check will not be executed. |
The default is |
|
.Dq yes . |
|
.It Cm Cipher |
.It Cm Cipher |
Specifies the cipher to use for encrypting the session |
Specifies the cipher to use for encrypting the session |
in protocol version 1. |
in protocol version 1. |
Currently, |
Currently, |
.Dq blowfish , |
.Cm blowfish , |
.Dq 3des , |
.Cm 3des |
|
(the default), |
and |
and |
.Dq des |
.Cm des |
are supported. |
are supported, |
.Ar des |
though |
|
.Cm des |
is only supported in the |
is only supported in the |
.Xr ssh 1 |
.Xr ssh 1 |
client for interoperability with legacy protocol 1 implementations |
client for interoperability with legacy protocol 1 implementations; |
that do not support the |
its use is strongly discouraged due to cryptographic weaknesses. |
.Ar 3des |
|
cipher. |
|
Its use is strongly discouraged due to cryptographic weaknesses. |
|
The default is |
|
.Dq 3des . |
|
.It Cm Ciphers |
.It Cm Ciphers |
Specifies the ciphers allowed for protocol version 2 |
Specifies the ciphers allowed for protocol version 2 |
in order of preference. |
in order of preference. |
|
|
instead of replacing them. |
instead of replacing them. |
.Pp |
.Pp |
The supported ciphers are: |
The supported ciphers are: |
.Pp |
.Bd -literal -offset indent |
.Bl -item -compact -offset indent |
|
.It |
|
3des-cbc |
3des-cbc |
.It |
|
aes128-cbc |
aes128-cbc |
.It |
|
aes192-cbc |
aes192-cbc |
.It |
|
aes256-cbc |
aes256-cbc |
.It |
|
aes128-ctr |
aes128-ctr |
.It |
|
aes192-ctr |
aes192-ctr |
.It |
|
aes256-ctr |
aes256-ctr |
.It |
|
aes128-gcm@openssh.com |
aes128-gcm@openssh.com |
.It |
|
aes256-gcm@openssh.com |
aes256-gcm@openssh.com |
.It |
|
arcfour |
arcfour |
.It |
|
arcfour128 |
arcfour128 |
.It |
|
arcfour256 |
arcfour256 |
.It |
|
blowfish-cbc |
blowfish-cbc |
.It |
|
cast128-cbc |
cast128-cbc |
.It |
|
chacha20-poly1305@openssh.com |
chacha20-poly1305@openssh.com |
.El |
.Ed |
.Pp |
.Pp |
The default is: |
The default is: |
.Bd -literal -offset indent |
.Bd -literal -offset indent |
|
|
aes128-cbc,aes192-cbc,aes256-cbc |
aes128-cbc,aes192-cbc,aes256-cbc |
.Ed |
.Ed |
.Pp |
.Pp |
The list of available ciphers may also be obtained using the |
The list of available ciphers may also be obtained using |
.Fl Q |
.Qq ssh -Q cipher . |
option of |
|
.Xr ssh 1 |
|
with an argument of |
|
.Dq cipher . |
|
.It Cm ClearAllForwardings |
.It Cm ClearAllForwardings |
Specifies that all local, remote, and dynamic port forwardings |
Specifies that all local, remote, and dynamic port forwardings |
specified in the configuration files or on the command line be |
specified in the configuration files or on the command line be |
|
|
and |
and |
.Xr sftp 1 . |
.Xr sftp 1 . |
The argument must be |
The argument must be |
.Dq yes |
.Cm yes |
or |
or |
.Dq no . |
.Cm no |
The default is |
(the default). |
.Dq no . |
|
.It Cm Compression |
.It Cm Compression |
Specifies whether to use compression. |
Specifies whether to use compression. |
The argument must be |
The argument must be |
.Dq yes |
.Cm yes |
or |
or |
.Dq no . |
.Cm no |
The default is |
(the default). |
.Dq no . |
|
.It Cm CompressionLevel |
.It Cm CompressionLevel |
Specifies the compression level to use if compression is enabled. |
Specifies the compression level to use if compression is enabled. |
The argument must be an integer from 1 (fast) to 9 (slow, best). |
The argument must be an integer from 1 (fast) to 9 (slow, best). |
|
|
.It Cm ControlMaster |
.It Cm ControlMaster |
Enables the sharing of multiple sessions over a single network connection. |
Enables the sharing of multiple sessions over a single network connection. |
When set to |
When set to |
.Dq yes , |
.Cm yes , |
.Xr ssh 1 |
.Xr ssh 1 |
will listen for connections on a control socket specified using the |
will listen for connections on a control socket specified using the |
.Cm ControlPath |
.Cm ControlPath |
|
|
with |
with |
.Cm ControlMaster |
.Cm ControlMaster |
set to |
set to |
.Dq no |
.Cm no |
(the default). |
(the default). |
These sessions will try to reuse the master instance's network connection |
These sessions will try to reuse the master instance's network connection |
rather than initiating new ones, but will fall back to connecting normally |
rather than initiating new ones, but will fall back to connecting normally |
if the control socket does not exist, or is not listening. |
if the control socket does not exist, or is not listening. |
.Pp |
.Pp |
Setting this to |
Setting this to |
.Dq ask |
.Cm ask |
will cause ssh |
will cause |
|
.Xr ssh 1 |
to listen for control connections, but require confirmation using |
to listen for control connections, but require confirmation using |
.Xr ssh-askpass 1 . |
.Xr ssh-askpass 1 . |
If the |
If the |
.Cm ControlPath |
.Cm ControlPath |
cannot be opened, |
cannot be opened, |
ssh will continue without connecting to a master instance. |
.Xr ssh 1 |
|
will continue without connecting to a master instance. |
.Pp |
.Pp |
X11 and |
X11 and |
.Xr ssh-agent 1 |
.Xr ssh-agent 1 |
|
|
master connection but fall back to creating a new one if one does not already |
master connection but fall back to creating a new one if one does not already |
exist. |
exist. |
These options are: |
These options are: |
.Dq auto |
.Cm auto |
and |
and |
.Dq autoask . |
.Cm autoask . |
The latter requires confirmation like the |
The latter requires confirmation like the |
.Dq ask |
.Cm ask |
option. |
option. |
.It Cm ControlPath |
.It Cm ControlPath |
Specify the path to the control socket used for connection sharing as described |
Specify the path to the control socket used for connection sharing as described |
in the |
in the |
.Cm ControlMaster |
.Cm ControlMaster |
section above or the string |
section above or the string |
.Dq none |
.Cm none |
to disable connection sharing. |
to disable connection sharing. |
Arguments to |
Arguments to |
.Cm ControlPath |
.Cm ControlPath |
|
|
in the background (waiting for future client connections) |
in the background (waiting for future client connections) |
after the initial client connection has been closed. |
after the initial client connection has been closed. |
If set to |
If set to |
.Dq no , |
.Cm no , |
then the master connection will not be placed into the background, |
then the master connection will not be placed into the background, |
and will close as soon as the initial client connection is closed. |
and will close as soon as the initial client connection is closed. |
If set to |
If set to |
.Dq yes |
.Cm yes |
or |
or 0, |
.Dq 0 , |
|
then the master connection will remain in the background indefinitely |
then the master connection will remain in the background indefinitely |
(until killed or closed via a mechanism such as the |
(until killed or closed via a mechanism such as the |
.Xr ssh 1 |
.Qq ssh -O exit ) . |
.Dq Fl O No exit |
|
option). |
|
If set to a time in seconds, or a time in any of the formats documented in |
If set to a time in seconds, or a time in any of the formats documented in |
.Xr sshd_config 5 , |
.Xr sshd_config 5 , |
then the backgrounded master connection will automatically terminate |
then the backgrounded master connection will automatically terminate |
|
|
The |
The |
.Ar bind_address |
.Ar bind_address |
of |
of |
.Dq localhost |
.Cm localhost |
indicates that the listening port be bound for local use only, while an |
indicates that the listening port be bound for local use only, while an |
empty address or |
empty address or |
.Sq * |
.Sq * |
|
|
Only the superuser can forward privileged ports. |
Only the superuser can forward privileged ports. |
.It Cm EnableSSHKeysign |
.It Cm EnableSSHKeysign |
Setting this option to |
Setting this option to |
.Dq yes |
.Cm yes |
in the global client configuration file |
in the global client configuration file |
.Pa /etc/ssh/ssh_config |
.Pa /etc/ssh/ssh_config |
enables the use of the helper program |
enables the use of the helper program |
|
|
during |
during |
.Cm HostbasedAuthentication . |
.Cm HostbasedAuthentication . |
The argument must be |
The argument must be |
.Dq yes |
.Cm yes |
or |
or |
.Dq no . |
.Cm no |
The default is |
(the default). |
.Dq no . |
|
This option should be placed in the non-hostspecific section. |
This option should be placed in the non-hostspecific section. |
See |
See |
.Xr ssh-keysign 8 |
.Xr ssh-keysign 8 |
|
|
The argument should be a single character, |
The argument should be a single character, |
.Ql ^ |
.Ql ^ |
followed by a letter, or |
followed by a letter, or |
.Dq none |
.Cm none |
to disable the escape |
to disable the escape |
character entirely (making the connection transparent for binary |
character entirely (making the connection transparent for binary |
data). |
data). |
|
|
.Xr ssh 1 |
.Xr ssh 1 |
to exit if TCP connections to the ultimate forwarding destination fail. |
to exit if TCP connections to the ultimate forwarding destination fail. |
The argument must be |
The argument must be |
.Dq yes |
.Cm yes |
or |
or |
.Dq no . |
.Cm no |
The default is |
(the default). |
.Dq no . |
|
.It Cm FingerprintHash |
.It Cm FingerprintHash |
Specifies the hash algorithm used when displaying key fingerprints. |
Specifies the hash algorithm used when displaying key fingerprints. |
Valid options are: |
Valid options are: |
.Dq md5 |
.Cm md5 |
and |
and |
.Dq sha256 . |
.Cm sha256 |
The default is |
(the default). |
.Dq sha256 . |
|
.It Cm ForwardAgent |
.It Cm ForwardAgent |
Specifies whether the connection to the authentication agent (if any) |
Specifies whether the connection to the authentication agent (if any) |
will be forwarded to the remote machine. |
will be forwarded to the remote machine. |
The argument must be |
The argument must be |
.Dq yes |
.Cm yes |
or |
or |
.Dq no . |
.Cm no |
The default is |
(the default). |
.Dq no . |
|
.Pp |
.Pp |
Agent forwarding should be enabled with caution. |
Agent forwarding should be enabled with caution. |
Users with the ability to bypass file permissions on the remote host |
Users with the ability to bypass file permissions on the remote host |
|
|
.Ev DISPLAY |
.Ev DISPLAY |
set. |
set. |
The argument must be |
The argument must be |
.Dq yes |
.Cm yes |
or |
or |
.Dq no . |
.Cm no |
The default is |
(the default). |
.Dq no . |
|
.Pp |
.Pp |
X11 forwarding should be enabled with caution. |
X11 forwarding should be enabled with caution. |
Users with the ability to bypass file permissions on the remote host |
Users with the ability to bypass file permissions on the remote host |
|
|
.It Cm ForwardX11Timeout |
.It Cm ForwardX11Timeout |
Specify a timeout for untrusted X11 forwarding |
Specify a timeout for untrusted X11 forwarding |
using the format described in the |
using the format described in the |
TIME FORMATS section of |
.Sx TIME FORMATS |
|
section of |
.Xr sshd_config 5 . |
.Xr sshd_config 5 . |
X11 connections received by |
X11 connections received by |
.Xr ssh 1 |
.Xr ssh 1 |
|
|
elapsed. |
elapsed. |
.It Cm ForwardX11Trusted |
.It Cm ForwardX11Trusted |
If this option is set to |
If this option is set to |
.Dq yes , |
.Cm yes , |
remote X11 clients will have full access to the original X11 display. |
remote X11 clients will have full access to the original X11 display. |
.Pp |
.Pp |
If this option is set to |
If this option is set to |
.Dq no , |
.Cm no |
|
(the default), |
remote X11 clients will be considered untrusted and prevented |
remote X11 clients will be considered untrusted and prevented |
from stealing or tampering with data belonging to trusted X11 |
from stealing or tampering with data belonging to trusted X11 |
clients. |
clients. |
|
|
token used for the session will be set to expire after 20 minutes. |
token used for the session will be set to expire after 20 minutes. |
Remote clients will be refused access after this time. |
Remote clients will be refused access after this time. |
.Pp |
.Pp |
The default is |
|
.Dq no . |
|
.Pp |
|
See the X11 SECURITY extension specification for full details on |
See the X11 SECURITY extension specification for full details on |
the restrictions imposed on untrusted clients. |
the restrictions imposed on untrusted clients. |
.It Cm GatewayPorts |
.It Cm GatewayPorts |
|
|
should bind local port forwardings to the wildcard address, |
should bind local port forwardings to the wildcard address, |
thus allowing remote hosts to connect to forwarded ports. |
thus allowing remote hosts to connect to forwarded ports. |
The argument must be |
The argument must be |
.Dq yes |
.Cm yes |
or |
or |
.Dq no . |
.Cm no |
The default is |
(the default). |
.Dq no . |
|
.It Cm GlobalKnownHostsFile |
.It Cm GlobalKnownHostsFile |
Specifies one or more files to use for the global |
Specifies one or more files to use for the global |
host key database, separated by whitespace. |
host key database, separated by whitespace. |
|
|
.It Cm GSSAPIAuthentication |
.It Cm GSSAPIAuthentication |
Specifies whether user authentication based on GSSAPI is allowed. |
Specifies whether user authentication based on GSSAPI is allowed. |
The default is |
The default is |
.Dq no . |
.Cm no . |
.It Cm GSSAPIDelegateCredentials |
.It Cm GSSAPIDelegateCredentials |
Forward (delegate) credentials to the server. |
Forward (delegate) credentials to the server. |
The default is |
The default is |
.Dq no . |
.Cm no . |
.It Cm HashKnownHosts |
.It Cm HashKnownHosts |
Indicates that |
Indicates that |
.Xr ssh 1 |
.Xr ssh 1 |
|
|
but they do not reveal identifying information should the file's contents |
but they do not reveal identifying information should the file's contents |
be disclosed. |
be disclosed. |
The default is |
The default is |
.Dq no . |
.Cm no . |
Note that existing names and addresses in known hosts files |
Note that existing names and addresses in known hosts files |
will not be converted automatically, |
will not be converted automatically, |
but may be manually hashed using |
but may be manually hashed using |
|
|
Specifies whether to try rhosts based authentication with public key |
Specifies whether to try rhosts based authentication with public key |
authentication. |
authentication. |
The argument must be |
The argument must be |
.Dq yes |
.Cm yes |
or |
or |
.Dq no . |
.Cm no |
The default is |
(the default). |
.Dq no . |
|
.It Cm HostbasedKeyTypes |
.It Cm HostbasedKeyTypes |
Specifies the key types that will be used for hostbased authentication |
Specifies the key types that will be used for hostbased authentication |
as a comma-separated pattern list. |
as a comma-separated pattern list. |
|
|
If hostkeys are known for the destination host then this default is modified |
If hostkeys are known for the destination host then this default is modified |
to prefer their algorithms. |
to prefer their algorithms. |
.Pp |
.Pp |
The list of available key types may also be obtained using the |
The list of available key types may also be obtained using |
.Fl Q |
.Qq ssh -Q key . |
option of |
|
.Xr ssh 1 |
|
with an argument of |
|
.Dq key . |
|
.It Cm HostKeyAlias |
.It Cm HostKeyAlias |
Specifies an alias that should be used instead of the |
Specifies an alias that should be used instead of the |
real host name when looking up or saving the host key |
real host name when looking up or saving the host key |
|
|
.Cm PKCS11Provider |
.Cm PKCS11Provider |
offers more identities. |
offers more identities. |
The argument to this keyword must be |
The argument to this keyword must be |
.Dq yes |
.Cm yes |
or |
or |
.Dq no . |
.Cm no |
|
(the default). |
This option is intended for situations where ssh-agent |
This option is intended for situations where ssh-agent |
offers many different identities. |
offers many different identities. |
The default is |
|
.Dq no . |
|
.It Cm IdentityAgent |
.It Cm IdentityAgent |
Specifies the |
Specifies the |
.Ux Ns -domain |
.Ux Ns -domain |
socket used to communicate with the authentication agent. |
socket used to communicate with the authentication agent. |
.Pp |
.Pp |
This option overrides the |
This option overrides the |
.Dq SSH_AUTH_SOCK |
.Ev SSH_AUTH_SOCK |
environment variable and can be used to select a specific agent. |
environment variable and can be used to select a specific agent. |
Setting the socket name to |
Setting the socket name to |
.Dq none |
.Cm none |
disables the use of an authentication agent. |
disables the use of an authentication agent. |
If the string |
If the string |
.Dq SSH_AUTH_SOCK |
.Qq SSH_AUTH_SOCK |
is specified, the location of the socket will be read from the |
is specified, the location of the socket will be read from the |
.Ev SSH_AUTH_SOCK |
.Ev SSH_AUTH_SOCK |
environment variable. |
environment variable. |
|
|
Multiple pathnames may be specified and each pathname may contain |
Multiple pathnames may be specified and each pathname may contain |
.Xr glob 3 |
.Xr glob 3 |
wildcards and, for user configurations, shell-like |
wildcards and, for user configurations, shell-like |
.Dq ~ |
.Sq ~ |
references to user home directories. |
references to user home directories. |
Files without absolute paths are assumed to be in |
Files without absolute paths are assumed to be in |
.Pa ~/.ssh |
.Pa ~/.ssh |
|
|
.It Cm IPQoS |
.It Cm IPQoS |
Specifies the IPv4 type-of-service or DSCP class for connections. |
Specifies the IPv4 type-of-service or DSCP class for connections. |
Accepted values are |
Accepted values are |
.Dq af11 , |
.Cm af11 , |
.Dq af12 , |
.Cm af12 , |
.Dq af13 , |
.Cm af13 , |
.Dq af21 , |
.Cm af21 , |
.Dq af22 , |
.Cm af22 , |
.Dq af23 , |
.Cm af23 , |
.Dq af31 , |
.Cm af31 , |
.Dq af32 , |
.Cm af32 , |
.Dq af33 , |
.Cm af33 , |
.Dq af41 , |
.Cm af41 , |
.Dq af42 , |
.Cm af42 , |
.Dq af43 , |
.Cm af43 , |
.Dq cs0 , |
.Cm cs0 , |
.Dq cs1 , |
.Cm cs1 , |
.Dq cs2 , |
.Cm cs2 , |
.Dq cs3 , |
.Cm cs3 , |
.Dq cs4 , |
.Cm cs4 , |
.Dq cs5 , |
.Cm cs5 , |
.Dq cs6 , |
.Cm cs6 , |
.Dq cs7 , |
.Cm cs7 , |
.Dq ef , |
.Cm ef , |
.Dq lowdelay , |
.Cm lowdelay , |
.Dq throughput , |
.Cm throughput , |
.Dq reliability , |
.Cm reliability , |
or a numeric value. |
or a numeric value. |
This option may take one or two arguments, separated by whitespace. |
This option may take one or two arguments, separated by whitespace. |
If one argument is specified, it is used as the packet class unconditionally. |
If one argument is specified, it is used as the packet class unconditionally. |
If two values are specified, the first is automatically selected for |
If two values are specified, the first is automatically selected for |
interactive sessions and the second for non-interactive sessions. |
interactive sessions and the second for non-interactive sessions. |
The default is |
The default is |
.Dq lowdelay |
.Cm lowdelay |
for interactive sessions and |
for interactive sessions and |
.Dq throughput |
.Cm throughput |
for non-interactive sessions. |
for non-interactive sessions. |
.It Cm KbdInteractiveAuthentication |
.It Cm KbdInteractiveAuthentication |
Specifies whether to use keyboard-interactive authentication. |
Specifies whether to use keyboard-interactive authentication. |
The argument to this keyword must be |
The argument to this keyword must be |
.Dq yes |
.Cm yes |
|
(the default) |
or |
or |
.Dq no . |
.Cm no . |
The default is |
|
.Dq yes . |
|
.It Cm KbdInteractiveDevices |
.It Cm KbdInteractiveDevices |
Specifies the list of methods to use in keyboard-interactive authentication. |
Specifies the list of methods to use in keyboard-interactive authentication. |
Multiple method names must be comma-separated. |
Multiple method names must be comma-separated. |
|
|
The methods available vary depending on what the server supports. |
The methods available vary depending on what the server supports. |
For an OpenSSH server, |
For an OpenSSH server, |
it may be zero or more of: |
it may be zero or more of: |
.Dq bsdauth , |
.Cm bsdauth , |
.Dq pam , |
.Cm pam , |
and |
and |
.Dq skey . |
.Cm skey . |
.It Cm KexAlgorithms |
.It Cm KexAlgorithms |
Specifies the available KEX (Key Exchange) algorithms. |
Specifies the available KEX (Key Exchange) algorithms. |
Multiple algorithms must be comma-separated. |
Multiple algorithms must be comma-separated. |
|
|
diffie-hellman-group14-sha1 |
diffie-hellman-group14-sha1 |
.Ed |
.Ed |
.Pp |
.Pp |
The list of available key exchange algorithms may also be obtained using the |
The list of available key exchange algorithms may also be obtained using |
.Fl Q |
.Qq ssh -Q kex . |
option of |
|
.Xr ssh 1 |
|
with an argument of |
|
.Dq kex . |
|
.It Cm LocalCommand |
.It Cm LocalCommand |
Specifies a command to execute on the local machine after successfully |
Specifies a command to execute on the local machine after successfully |
connecting to the server. |
connecting to the server. |
|
|
The |
The |
.Ar bind_address |
.Ar bind_address |
of |
of |
.Dq localhost |
.Cm localhost |
indicates that the listening port be bound for local use only, while an |
indicates that the listening port be bound for local use only, while an |
empty address or |
empty address or |
.Sq * |
.Sq * |
|
|
instead of replacing them. |
instead of replacing them. |
.Pp |
.Pp |
The algorithms that contain |
The algorithms that contain |
.Dq -etm |
.Qq -etm |
calculate the MAC after encryption (encrypt-then-mac). |
calculate the MAC after encryption (encrypt-then-mac). |
These are considered safer and their use recommended. |
These are considered safer and their use recommended. |
.Pp |
.Pp |
|
|
hmac-sha2-256,hmac-sha2-512,hmac-sha1 |
hmac-sha2-256,hmac-sha2-512,hmac-sha1 |
.Ed |
.Ed |
.Pp |
.Pp |
The list of available MAC algorithms may also be obtained using the |
The list of available MAC algorithms may also be obtained using |
.Fl Q |
.Qq ssh -Q mac . |
option of |
|
.Xr ssh 1 |
|
with an argument of |
|
.Dq mac . |
|
.It Cm NoHostAuthenticationForLocalhost |
.It Cm NoHostAuthenticationForLocalhost |
This option can be used if the home directory is shared across machines. |
This option can be used if the home directory is shared across machines. |
In this case localhost will refer to a different machine on each of |
In this case localhost will refer to a different machine on each of |
the machines and the user will get many warnings about changed host keys. |
the machines and the user will get many warnings about changed host keys. |
However, this option disables host authentication for localhost. |
However, this option disables host authentication for localhost. |
The argument to this keyword must be |
The argument to this keyword must be |
.Dq yes |
.Cm yes |
or |
or |
.Dq no . |
.Cm no . |
The default is to check the host key for localhost. |
(the default). |
.It Cm NumberOfPasswordPrompts |
.It Cm NumberOfPasswordPrompts |
Specifies the number of password prompts before giving up. |
Specifies the number of password prompts before giving up. |
The argument to this keyword must be an integer. |
The argument to this keyword must be an integer. |
|
|
.It Cm PasswordAuthentication |
.It Cm PasswordAuthentication |
Specifies whether to use password authentication. |
Specifies whether to use password authentication. |
The argument to this keyword must be |
The argument to this keyword must be |
.Dq yes |
.Cm yes |
|
(the default) |
or |
or |
.Dq no . |
.Cm no . |
The default is |
|
.Dq yes . |
|
.It Cm PermitLocalCommand |
.It Cm PermitLocalCommand |
Allow local command execution via the |
Allow local command execution via the |
.Ic LocalCommand |
.Ic LocalCommand |
|
|
escape sequence in |
escape sequence in |
.Xr ssh 1 . |
.Xr ssh 1 . |
The argument must be |
The argument must be |
.Dq yes |
.Cm yes |
or |
or |
.Dq no . |
.Cm no |
The default is |
(the default). |
.Dq no . |
|
.It Cm PKCS11Provider |
.It Cm PKCS11Provider |
Specifies which PKCS#11 provider to use. |
Specifies which PKCS#11 provider to use. |
The argument to this keyword is the PKCS#11 shared library |
The argument to this keyword is the PKCS#11 shared library |
|
|
Specifies the protocol versions |
Specifies the protocol versions |
.Xr ssh 1 |
.Xr ssh 1 |
should support in order of preference. |
should support in order of preference. |
The possible values are |
The possible values are 1 and 2. |
.Sq 1 |
|
and |
|
.Sq 2 . |
|
Multiple versions must be comma-separated. |
Multiple versions must be comma-separated. |
When this option is set to |
When this option is set to |
.Dq 2,1 |
.Cm 2,1 |
.Nm ssh |
.Nm ssh |
will try version 2 and fall back to version 1 |
will try version 2 and fall back to version 1 |
if version 2 is not available. |
if version 2 is not available. |
The default is |
The default is version 2. |
.Sq 2 . |
|
Protocol 1 suffers from a number of cryptographic weaknesses and should |
Protocol 1 suffers from a number of cryptographic weaknesses and should |
not be used. |
not be used. |
It is only offered to support legacy devices. |
It is only offered to support legacy devices. |
|
|
HostName of the host being connected (defaulting to the name typed by |
HostName of the host being connected (defaulting to the name typed by |
the user). |
the user). |
Setting the command to |
Setting the command to |
.Dq none |
.Cm none |
disables this option entirely. |
disables this option entirely. |
Note that |
Note that |
.Cm CheckHostIP |
.Cm CheckHostIP |
|
|
.Xr ssh 1 |
.Xr ssh 1 |
instead of continuing to execute and pass data. |
instead of continuing to execute and pass data. |
The default is |
The default is |
.Dq no . |
.Cm no . |
.It Cm PubkeyAcceptedKeyTypes |
.It Cm PubkeyAcceptedKeyTypes |
Specifies the key types that will be used for public key authentication |
Specifies the key types that will be used for public key authentication |
as a comma-separated pattern list. |
as a comma-separated pattern list. |
|
|
ssh-ed25519,ssh-rsa |
ssh-ed25519,ssh-rsa |
.Ed |
.Ed |
.Pp |
.Pp |
The |
The list of available key types may also be obtained using |
.Fl Q |
.Qq ssh -Q key . |
option of |
|
.Xr ssh 1 |
|
may be used to list supported key types. |
|
.It Cm PubkeyAuthentication |
.It Cm PubkeyAuthentication |
Specifies whether to try public key authentication. |
Specifies whether to try public key authentication. |
The argument to this keyword must be |
The argument to this keyword must be |
.Dq yes |
.Cm yes |
|
(the default) |
or |
or |
.Dq no . |
.Cm no . |
The default is |
|
.Dq yes . |
|
.It Cm RekeyLimit |
.It Cm RekeyLimit |
Specifies the maximum amount of data that may be transmitted before the |
Specifies the maximum amount of data that may be transmitted before the |
session key is renegotiated, optionally followed a maximum amount of |
session key is renegotiated, optionally followed a maximum amount of |
|
|
depending on the cipher. |
depending on the cipher. |
The optional second value is specified in seconds and may use any of the |
The optional second value is specified in seconds and may use any of the |
units documented in the |
units documented in the |
TIME FORMATS section of |
.Sx TIME FORMATS |
|
section of |
.Xr sshd_config 5 . |
.Xr sshd_config 5 . |
The default value for |
The default value for |
.Cm RekeyLimit |
.Cm RekeyLimit |
is |
is |
.Dq default none , |
.Cm default none , |
which means that rekeying is performed after the cipher's default amount |
which means that rekeying is performed after the cipher's default amount |
of data has been sent or received and no time based rekeying is done. |
of data has been sent or received and no time based rekeying is done. |
.It Cm RemoteForward |
.It Cm RemoteForward |
|
|
.Pp |
.Pp |
If the |
If the |
.Ar port |
.Ar port |
argument is |
argument is 0, |
.Ql 0 , |
|
the listen port will be dynamically allocated on the server and reported |
the listen port will be dynamically allocated on the server and reported |
to the client at run time. |
to the client at run time. |
.Pp |
.Pp |
|
|
.It Cm RequestTTY |
.It Cm RequestTTY |
Specifies whether to request a pseudo-tty for the session. |
Specifies whether to request a pseudo-tty for the session. |
The argument may be one of: |
The argument may be one of: |
.Dq no |
.Cm no |
(never request a TTY), |
(never request a TTY), |
.Dq yes |
.Cm yes |
(always request a TTY when standard input is a TTY), |
(always request a TTY when standard input is a TTY), |
.Dq force |
.Cm force |
(always request a TTY) or |
(always request a TTY) or |
.Dq auto |
.Cm auto |
(request a TTY when opening a login session). |
(request a TTY when opening a login session). |
This option mirrors the |
This option mirrors the |
.Fl t |
.Fl t |
|
|
Specifies whether to try rhosts based authentication with RSA host |
Specifies whether to try rhosts based authentication with RSA host |
authentication. |
authentication. |
The argument must be |
The argument must be |
.Dq yes |
.Cm yes |
or |
or |
.Dq no . |
.Cm no |
The default is |
(the default). |
.Dq no . |
|
This option applies to protocol version 1 only and requires |
This option applies to protocol version 1 only and requires |
.Xr ssh 1 |
.Xr ssh 1 |
to be setuid root. |
to be setuid root. |
.It Cm RSAAuthentication |
.It Cm RSAAuthentication |
Specifies whether to try RSA authentication. |
Specifies whether to try RSA authentication. |
The argument to this keyword must be |
The argument to this keyword must be |
.Dq yes |
.Cm yes |
|
(the default) |
or |
or |
.Dq no . |
.Cm no . |
RSA authentication will only be |
RSA authentication will only be |
attempted if the identity file exists, or an authentication agent is |
attempted if the identity file exists, or an authentication agent is |
running. |
running. |
The default is |
|
.Dq yes . |
|
Note that this option applies to protocol version 1 only. |
Note that this option applies to protocol version 1 only. |
.It Cm SendEnv |
.It Cm SendEnv |
Specifies what variables from the local |
Specifies what variables from the local |
|
|
This option is only used for port forwarding to a Unix-domain socket file. |
This option is only used for port forwarding to a Unix-domain socket file. |
.Pp |
.Pp |
The argument must be |
The argument must be |
.Dq yes |
.Cm yes |
or |
or |
.Dq no . |
.Cm no |
The default is |
(the default). |
.Dq no . |
|
.It Cm StrictHostKeyChecking |
.It Cm StrictHostKeyChecking |
If this flag is set to |
If this flag is set to |
.Dq yes , |
.Cm yes , |
.Xr ssh 1 |
.Xr ssh 1 |
will never automatically add host keys to the |
will never automatically add host keys to the |
.Pa ~/.ssh/known_hosts |
.Pa ~/.ssh/known_hosts |
|
|
This option forces the user to manually |
This option forces the user to manually |
add all new hosts. |
add all new hosts. |
If this flag is set to |
If this flag is set to |
.Dq no , |
.Cm no , |
ssh will automatically add new host keys to the |
ssh will automatically add new host keys to the |
user known hosts files. |
user known hosts files. |
If this flag is set to |
If this flag is set to |
.Dq ask , |
.Cm ask |
|
(the default), |
new host keys |
new host keys |
will be added to the user known host files only after the user |
will be added to the user known host files only after the user |
has confirmed that is what they really want to do, and |
has confirmed that is what they really want to do, and |
ssh will refuse to connect to hosts whose host key has changed. |
ssh will refuse to connect to hosts whose host key has changed. |
The host keys of |
The host keys of |
known hosts will be verified automatically in all cases. |
known hosts will be verified automatically in all cases. |
The argument must be |
|
.Dq yes , |
|
.Dq no , |
|
or |
|
.Dq ask . |
|
The default is |
|
.Dq ask . |
|
.It Cm TCPKeepAlive |
.It Cm TCPKeepAlive |
Specifies whether the system should send TCP keepalive messages to the |
Specifies whether the system should send TCP keepalive messages to the |
other side. |
other side. |
|
|
find it annoying. |
find it annoying. |
.Pp |
.Pp |
The default is |
The default is |
.Dq yes |
.Cm yes |
(to send TCP keepalive messages), and the client will notice |
(to send TCP keepalive messages), and the client will notice |
if the network goes down or the remote host dies. |
if the network goes down or the remote host dies. |
This is important in scripts, and many users want it too. |
This is important in scripts, and many users want it too. |
.Pp |
.Pp |
To disable TCP keepalive messages, the value should be set to |
To disable TCP keepalive messages, the value should be set to |
.Dq no . |
.Cm no . |
.It Cm Tunnel |
.It Cm Tunnel |
Request |
Request |
.Xr tun 4 |
.Xr tun 4 |
device forwarding between the client and the server. |
device forwarding between the client and the server. |
The argument must be |
The argument must be |
.Dq yes , |
.Cm yes , |
.Dq point-to-point |
.Cm point-to-point |
(layer 3), |
(layer 3), |
.Dq ethernet |
.Cm ethernet |
(layer 2), |
(layer 2), |
or |
or |
.Dq no . |
.Cm no |
|
(the default). |
Specifying |
Specifying |
.Dq yes |
.Cm yes |
requests the default tunnel mode, which is |
requests the default tunnel mode, which is |
.Dq point-to-point . |
.Cm point-to-point . |
The default is |
|
.Dq no . |
|
.It Cm TunnelDevice |
.It Cm TunnelDevice |
Specifies the |
Specifies the |
.Xr tun 4 |
.Xr tun 4 |
|
|
.Ar local_tun Op : Ar remote_tun . |
.Ar local_tun Op : Ar remote_tun . |
.Sm on |
.Sm on |
The devices may be specified by numerical ID or the keyword |
The devices may be specified by numerical ID or the keyword |
.Dq any , |
.Cm any , |
which uses the next available tunnel device. |
which uses the next available tunnel device. |
If |
If |
.Ar remote_tun |
.Ar remote_tun |
is not specified, it defaults to |
is not specified, it defaults to |
.Dq any . |
.Cm any . |
The default is |
The default is |
.Dq any:any . |
.Cm any:any . |
.It Cm UpdateHostKeys |
.It Cm UpdateHostKeys |
Specifies whether |
Specifies whether |
.Xr ssh 1 |
.Xr ssh 1 |
|
|
after authentication has completed and add them to |
after authentication has completed and add them to |
.Cm UserKnownHostsFile . |
.Cm UserKnownHostsFile . |
The argument must be |
The argument must be |
.Dq yes , |
.Cm yes , |
.Dq no |
.Cm no |
(the default) or |
(the default) or |
.Dq ask . |
.Cm ask . |
Enabling this option allows learning alternate hostkeys for a server |
Enabling this option allows learning alternate hostkeys for a server |
and supports graceful key rotation by allowing a server to send replacement |
and supports graceful key rotation by allowing a server to send replacement |
public keys before old ones are removed. |
public keys before old ones are removed. |
|
|
If |
If |
.Cm UpdateHostKeys |
.Cm UpdateHostKeys |
is set to |
is set to |
.Dq ask , |
.Cm ask , |
then the user is asked to confirm the modifications to the known_hosts file. |
then the user is asked to confirm the modifications to the known_hosts file. |
Confirmation is currently incompatible with |
Confirmation is currently incompatible with |
.Cm ControlPersist , |
.Cm ControlPersist , |
|
|
Presently, only |
Presently, only |
.Xr sshd 8 |
.Xr sshd 8 |
from OpenSSH 6.8 and greater support the |
from OpenSSH 6.8 and greater support the |
.Dq hostkeys@openssh.com |
.Qq hostkeys@openssh.com |
protocol extension used to inform the client of all the server's hostkeys. |
protocol extension used to inform the client of all the server's hostkeys. |
.It Cm UsePrivilegedPort |
.It Cm UsePrivilegedPort |
Specifies whether to use a privileged port for outgoing connections. |
Specifies whether to use a privileged port for outgoing connections. |
The argument must be |
The argument must be |
.Dq yes |
.Cm yes |
or |
or |
.Dq no . |
.Cm no |
The default is |
(the default). |
.Dq no . |
|
If set to |
If set to |
.Dq yes , |
.Cm yes , |
.Xr ssh 1 |
.Xr ssh 1 |
must be setuid root. |
must be setuid root. |
Note that this option must be set to |
Note that this option must be set to |
.Dq yes |
.Cm yes |
for |
for |
.Cm RhostsRSAAuthentication |
.Cm RhostsRSAAuthentication |
with older servers. |
with older servers. |
|
|
Specifies whether to verify the remote key using DNS and SSHFP resource |
Specifies whether to verify the remote key using DNS and SSHFP resource |
records. |
records. |
If this option is set to |
If this option is set to |
.Dq yes , |
.Cm yes , |
the client will implicitly trust keys that match a secure fingerprint |
the client will implicitly trust keys that match a secure fingerprint |
from DNS. |
from DNS. |
Insecure fingerprints will be handled as if this option was set to |
Insecure fingerprints will be handled as if this option was set to |
.Dq ask . |
.Cm ask . |
If this option is set to |
If this option is set to |
.Dq ask , |
.Cm ask , |
information on fingerprint match will be displayed, but the user will still |
information on fingerprint match will be displayed, but the user will still |
need to confirm new host keys according to the |
need to confirm new host keys according to the |
.Cm StrictHostKeyChecking |
.Cm StrictHostKeyChecking |
option. |
option. |
The argument must be |
|
.Dq yes , |
|
.Dq no , |
|
or |
|
.Dq ask . |
|
The default is |
The default is |
.Dq no . |
.Cm no . |
.Pp |
.Pp |
See also VERIFYING HOST KEYS in |
See also |
|
.Sx VERIFYING HOST KEYS |
|
in |
.Xr ssh 1 . |
.Xr ssh 1 . |
.It Cm VisualHostKey |
.It Cm VisualHostKey |
If this flag is set to |
If this flag is set to |
.Dq yes , |
.Cm yes , |
an ASCII art representation of the remote host key fingerprint is |
an ASCII art representation of the remote host key fingerprint is |
printed in addition to the fingerprint string at login and |
printed in addition to the fingerprint string at login and |
for unknown host keys. |
for unknown host keys. |
If this flag is set to |
If this flag is set to |
.Dq no , |
.Cm no |
|
(the default), |
no fingerprint strings are printed at login and |
no fingerprint strings are printed at login and |
only the fingerprint string will be printed for unknown host keys. |
only the fingerprint string will be printed for unknown host keys. |
The default is |
|
.Dq no . |
|
.It Cm XAuthLocation |
.It Cm XAuthLocation |
Specifies the full pathname of the |
Specifies the full pathname of the |
.Xr xauth 1 |
.Xr xauth 1 |
|
|
.Sq ?\& |
.Sq ?\& |
(a wildcard that matches exactly one character). |
(a wildcard that matches exactly one character). |
For example, to specify a set of declarations for any host in the |
For example, to specify a set of declarations for any host in the |
.Dq .co.uk |
.Qq .co.uk |
set of domains, |
set of domains, |
the following pattern could be used: |
the following pattern could be used: |
.Pp |
.Pp |
|
|
For example, |
For example, |
to allow a key to be used from anywhere within an organization |
to allow a key to be used from anywhere within an organization |
except from the |
except from the |
.Dq dialup |
.Qq dialup |
pool, |
pool, |
the following entry (in authorized_keys) could be used: |
the following entry (in authorized_keys) could be used: |
.Pp |
.Pp |
|
|
.Sh SEE ALSO |
.Sh SEE ALSO |
.Xr ssh 1 |
.Xr ssh 1 |
.Sh AUTHORS |
.Sh AUTHORS |
|
.An -nosplit |
OpenSSH is a derivative of the original and free |
OpenSSH is a derivative of the original and free |
ssh 1.2.12 release by Tatu Ylonen. |
ssh 1.2.12 release by |
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, |
.An Tatu Ylonen . |
Theo de Raadt and Dug Song |
.An Aaron Campbell , Bob Beck , Markus Friedl , |
|
.An Niels Provos , Theo de Raadt |
|
and |
|
.An Dug Song |
removed many bugs, re-added newer features and |
removed many bugs, re-added newer features and |
created OpenSSH. |
created OpenSSH. |
Markus Friedl contributed the support for SSH |
.An Markus Friedl |
protocol versions 1.5 and 2.0. |
contributed the support for SSH protocol versions 1.5 and 2.0. |