version 1.49.2.2, 2006/02/03 02:53:45 |
version 1.50, 2005/04/21 06:17:50 |
|
|
The default is |
The default is |
.Dq no . |
.Dq no . |
.It Cm BindAddress |
.It Cm BindAddress |
Use the specified address on the local machine as the source address of |
Specify the interface to transmit from on machines with multiple |
the connection. |
interfaces or aliased addresses. |
Only useful on systems with more than one address. |
|
Note that this option does not work if |
Note that this option does not work if |
.Cm UsePrivilegedPort |
.Cm UsePrivilegedPort |
is set to |
is set to |
|
|
.Dq aes128-ctr , |
.Dq aes128-ctr , |
.Dq aes192-ctr , |
.Dq aes192-ctr , |
.Dq aes256-ctr , |
.Dq aes256-ctr , |
.Dq arcfour128 , |
|
.Dq arcfour256 , |
|
.Dq arcfour , |
.Dq arcfour , |
.Dq blowfish-cbc , |
.Dq blowfish-cbc , |
and |
and |
.Dq cast128-cbc . |
.Dq cast128-cbc . |
The default is |
The default is |
.Bd -literal |
.Bd -literal |
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, |
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, |
aes192-cbc,aes256-cbc'' |
aes192-ctr,aes256-ctr'' |
|
.Ed |
.Ed |
.It Cm ClearAllForwardings |
.It Cm ClearAllForwardings |
Specifies that all local, remote and dynamic port forwardings |
Specifies that all local, remote and dynamic port forwardings |
|
|
set to |
set to |
.Dq no |
.Dq no |
(the default). |
(the default). |
These sessions will try to reuse the master instance's network connection |
These sessions will reuse the master instance's network connection rather |
rather than initiating new ones, but will fall back to connecting normally |
than initiating new ones. |
if the control socket does not exist, or is not listening. |
|
.Pp |
|
Setting this to |
Setting this to |
.Dq ask |
.Dq ask |
will cause |
will cause |
|
|
program before they are accepted (see |
program before they are accepted (see |
.Xr ssh-add 1 |
.Xr ssh-add 1 |
for details). |
for details). |
If the |
|
.Cm ControlPath |
|
can not be opened, |
|
.Nm ssh |
|
will continue without connecting to a master instance. |
|
.Pp |
|
X11 and |
|
.Xr ssh-agent 1 |
|
forwarding is supported over these multiplexed connections, however the |
|
display and agent forwarded will be the one belonging to the master |
|
connection i.e. it is not possible to forward multiple displays or agents. |
|
.Pp |
|
Two additional options allow for opportunistic multiplexing: try to use a |
|
master connection but fall back to creating a new one if one does not already |
|
exist. |
|
These options are: |
|
.Dq auto |
|
and |
|
.Dq autoask . |
|
The latter requires confirmation like the |
|
.Dq ask |
|
option. |
|
.It Cm ControlPath |
.It Cm ControlPath |
Specify the path to the control socket used for connection sharing as described |
Specify the path to the control socket used for connection sharing. |
in the |
See |
.Cm ControlMaster |
.Cm ControlMaster |
section above or the string |
above. |
.Dq none |
|
to disable connection sharing. |
|
In the path, |
|
.Ql %h |
|
will be substituted by the target host name, |
|
.Ql %p |
|
the port and |
|
.Ql %r |
|
by the remote login username. |
|
It is recommended that any |
|
.Cm ControlPath |
|
used for opportunistic connection sharing include |
|
all three of these escape sequences. |
|
This ensures that shared connections are uniquely identified. |
|
.It Cm DynamicForward |
.It Cm DynamicForward |
Specifies that a TCP port on the local machine be forwarded |
Specifies that a TCP/IP port on the local machine be forwarded |
over the secure channel, and the application |
over the secure channel, and the application |
protocol is then used to determine where to connect to from the |
protocol is then used to determine where to connect to from the |
remote machine. |
remote machine. |
.Pp |
The argument must be a port number. |
The argument must be |
|
.Sm off |
|
.Oo Ar bind_address : Oc Ar port . |
|
.Sm on |
|
IPv6 addresses can be specified by enclosing addresses in square brackets or |
|
by using an alternative syntax: |
|
.Oo Ar bind_address Ns / Oc Ns Ar port . |
|
By default, the local port is bound in accordance with the |
|
.Cm GatewayPorts |
|
setting. |
|
However, an explicit |
|
.Ar bind_address |
|
may be used to bind the connection to a specific address. |
|
The |
|
.Ar bind_address |
|
of |
|
.Dq localhost |
|
indicates that the listening port be bound for local use only, while an |
|
empty address or |
|
.Sq * |
|
indicates that the port should be available from all interfaces. |
|
.Pp |
|
Currently the SOCKS4 and SOCKS5 protocols are supported, and |
Currently the SOCKS4 and SOCKS5 protocols are supported, and |
.Nm ssh |
.Nm ssh |
will act as a SOCKS server. |
will act as a SOCKS server. |
|
|
Numeric IP addresses are also permitted (both on the command line and in |
Numeric IP addresses are also permitted (both on the command line and in |
.Cm HostName |
.Cm HostName |
specifications). |
specifications). |
.It Cm IdentitiesOnly |
|
Specifies that |
|
.Nm ssh |
|
should only use the authentication identity files configured in the |
|
.Nm |
|
files, |
|
even if the |
|
.Nm ssh-agent |
|
offers more identities. |
|
The argument to this keyword must be |
|
.Dq yes |
|
or |
|
.Dq no . |
|
This option is intended for situations where |
|
.Nm ssh-agent |
|
offers many different identities. |
|
The default is |
|
.Dq no . |
|
.It Cm IdentityFile |
.It Cm IdentityFile |
Specifies a file from which the user's RSA or DSA authentication identity |
Specifies a file from which the user's RSA or DSA authentication identity |
is read. |
is read. |
|
|
It is possible to have |
It is possible to have |
multiple identity files specified in configuration files; all these |
multiple identity files specified in configuration files; all these |
identities will be tried in sequence. |
identities will be tried in sequence. |
|
.It Cm IdentitiesOnly |
|
Specifies that |
|
.Nm ssh |
|
should only use the authentication identity files configured in the |
|
.Nm |
|
files, |
|
even if the |
|
.Nm ssh-agent |
|
offers more identities. |
|
The argument to this keyword must be |
|
.Dq yes |
|
or |
|
.Dq no . |
|
This option is intented for situations where |
|
.Nm ssh-agent |
|
offers many different identities. |
|
The default is |
|
.Dq no . |
.It Cm KbdInteractiveDevices |
.It Cm KbdInteractiveDevices |
Specifies the list of methods to use in keyboard-interactive authentication. |
Specifies the list of methods to use in keyboard-interactive authentication. |
Multiple method names must be comma-separated. |
Multiple method names must be comma-separated. |
The default is to use the server specified list. |
The default is to use the server specified list. |
.It Cm LocalCommand |
|
Specifies a command to execute on the local machine after successfully |
|
connecting to the server. |
|
The command string extends to the end of the line, and is executed with |
|
.Pa /bin/sh . |
|
This directive is ignored unless |
|
.Cm PermitLocalCommand |
|
has been enabled. |
|
.It Cm LocalForward |
.It Cm LocalForward |
Specifies that a TCP port on the local machine be forwarded over |
Specifies that a TCP/IP port on the local machine be forwarded over |
the secure channel to the specified host and port from the remote machine. |
the secure channel to the specified host and port from the remote machine. |
The first argument must be |
The first argument must be |
.Sm off |
.Sm off |
|
|
.Dq no . |
.Dq no . |
The default is |
The default is |
.Dq yes . |
.Dq yes . |
.It Cm PermitLocalCommand |
|
Allow local command execution via the |
|
.Ic LocalCommand |
|
option or using the |
|
.Ic !\& Ns Ar command |
|
escape sequence in |
|
.Xr ssh 1 . |
|
The argument must be |
|
.Dq yes |
|
or |
|
.Dq no . |
|
The default is |
|
.Dq no . |
|
.It Cm Port |
.It Cm Port |
Specifies the port number to connect on the remote host. |
Specifies the port number to connect on the remote host. |
Default is 22. |
Default is 22. |
|
|
.Cm CheckHostIP |
.Cm CheckHostIP |
is not available for connects with a proxy command. |
is not available for connects with a proxy command. |
.Pp |
.Pp |
This directive is useful in conjunction with |
|
.Xr nc 1 |
|
and its proxy support. |
|
For example, the following directive would connect via an HTTP proxy at |
|
192.0.2.0: |
|
.Bd -literal -offset 3n |
|
ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p |
|
.Ed |
|
.It Cm PubkeyAuthentication |
.It Cm PubkeyAuthentication |
Specifies whether to try public key authentication. |
Specifies whether to try public key authentication. |
The argument to this keyword must be |
The argument to this keyword must be |
|
|
The default is |
The default is |
.Dq yes . |
.Dq yes . |
This option applies to protocol version 2 only. |
This option applies to protocol version 2 only. |
.It Cm RekeyLimit |
|
Specifies the maximum amount of data that may be transmitted before the |
|
session key is renegotiated. |
|
The argument is the number of bytes, with an optional suffix of |
|
.Sq K , |
|
.Sq M , |
|
or |
|
.Sq G |
|
to indicate Kilobytes, Megabytes, or Gigabytes, respectively. |
|
The default is between |
|
.Dq 1G |
|
and |
|
.Dq 4G , |
|
depending on the cipher. |
|
This option applies to protocol version 2 only. |
|
.It Cm RemoteForward |
.It Cm RemoteForward |
Specifies that a TCP port on the remote machine be forwarded over |
Specifies that a TCP/IP port on the remote machine be forwarded over |
the secure channel to the specified host and port from the local machine. |
the secure channel to the specified host and port from the local machine. |
The first argument must be |
The first argument must be |
.Sm off |
.Sm off |
|
|
.Cm SendEnv |
.Cm SendEnv |
directives. |
directives. |
The default is not to send any environment variables. |
The default is not to send any environment variables. |
|
.It Cm ServerAliveInterval |
|
Sets a timeout interval in seconds after which if no data has been received |
|
from the server, |
|
.Nm ssh |
|
will send a message through the encrypted |
|
channel to request a response from the server. |
|
The default |
|
is 0, indicating that these messages will not be sent to the server. |
|
This option applies to protocol version 2 only. |
.It Cm ServerAliveCountMax |
.It Cm ServerAliveCountMax |
Sets the number of server alive messages (see below) which may be |
Sets the number of server alive messages (see above) which may be |
sent without |
sent without |
.Nm ssh |
.Nm ssh |
receiving any messages back from the server. |
receiving any messages back from the server. |
|
|
The default value is 3. |
The default value is 3. |
If, for example, |
If, for example, |
.Cm ServerAliveInterval |
.Cm ServerAliveInterval |
(see below) is set to 15, and |
(above) is set to 15, and |
.Cm ServerAliveCountMax |
.Cm ServerAliveCountMax |
is left at the default, if the server becomes unresponsive ssh |
is left at the default, if the server becomes unresponsive ssh |
will disconnect after approximately 45 seconds. |
will disconnect after approximately 45 seconds. |
.It Cm ServerAliveInterval |
|
Sets a timeout interval in seconds after which if no data has been received |
|
from the server, |
|
.Nm ssh |
|
will send a message through the encrypted |
|
channel to request a response from the server. |
|
The default |
|
is 0, indicating that these messages will not be sent to the server. |
|
This option applies to protocol version 2 only. |
|
.It Cm SmartcardDevice |
.It Cm SmartcardDevice |
Specifies which smartcard device to use. |
Specifies which smartcard device to use. |
The argument to this keyword is the device |
The argument to this keyword is the device |
|
|
.Pp |
.Pp |
To disable TCP keepalive messages, the value should be set to |
To disable TCP keepalive messages, the value should be set to |
.Dq no . |
.Dq no . |
.It Cm Tunnel |
|
Request starting |
|
.Xr tun 4 |
|
device forwarding between the client and the server. |
|
This option also allows requesting layer 2 (ethernet) |
|
instead of layer 3 (point-to-point) tunneling from the server. |
|
The argument must be |
|
.Dq yes , |
|
.Dq point-to-point , |
|
.Dq ethernet |
|
or |
|
.Dq no . |
|
The default is |
|
.Dq no . |
|
.It Cm TunnelDevice |
|
Force a specified |
|
.Xr tun 4 |
|
device on the client. |
|
Without this option, the next available device will be used. |
|
.It Cm UsePrivilegedPort |
.It Cm UsePrivilegedPort |
Specifies whether to use a privileged port for outgoing connections. |
Specifies whether to use a privileged port for outgoing connections. |
The argument must be |
The argument must be |