Annotation of src/usr.bin/ssh/ssh_config.5, Revision 1.243
1.1 stevesk 1: .\"
2: .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3: .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4: .\" All rights reserved
5: .\"
6: .\" As far as I am concerned, the code I have written for this software
7: .\" can be used freely for any purpose. Any derived versions of this
8: .\" software must be clearly marked as such, and if the derived work is
9: .\" incompatible with the protocol description in the RFC file, it must be
10: .\" called by a name other than "ssh" or "Secure Shell".
11: .\"
12: .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
13: .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
14: .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
15: .\"
16: .\" Redistribution and use in source and binary forms, with or without
17: .\" modification, are permitted provided that the following conditions
18: .\" are met:
19: .\" 1. Redistributions of source code must retain the above copyright
20: .\" notice, this list of conditions and the following disclaimer.
21: .\" 2. Redistributions in binary form must reproduce the above copyright
22: .\" notice, this list of conditions and the following disclaimer in the
23: .\" documentation and/or other materials provided with the distribution.
24: .\"
25: .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26: .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27: .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28: .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29: .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30: .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31: .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32: .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33: .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34: .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35: .\"
1.243 ! dtucker 36: .\" $OpenBSD: ssh_config.5,v 1.242 2017/02/27 14:30:33 jmc Exp $
! 37: .Dd $Mdocdate: February 27 2017 $
1.1 stevesk 38: .Dt SSH_CONFIG 5
39: .Os
40: .Sh NAME
41: .Nm ssh_config
42: .Nd OpenSSH SSH client configuration files
43: .Sh SYNOPSIS
1.98 jmc 44: .Nm ~/.ssh/config
45: .Nm /etc/ssh/ssh_config
1.1 stevesk 46: .Sh DESCRIPTION
1.84 jmc 47: .Xr ssh 1
1.1 stevesk 48: obtains configuration data from the following sources in
49: the following order:
1.79 jmc 50: .Pp
1.2 stevesk 51: .Bl -enum -offset indent -compact
52: .It
53: command-line options
54: .It
55: user's configuration file
1.50 djm 56: .Pq Pa ~/.ssh/config
1.2 stevesk 57: .It
58: system-wide configuration file
59: .Pq Pa /etc/ssh/ssh_config
60: .El
1.1 stevesk 61: .Pp
62: For each parameter, the first obtained value
63: will be used.
1.41 jmc 64: The configuration files contain sections separated by
1.240 jmc 65: .Cm Host
1.1 stevesk 66: specifications, and that section is only applied for hosts that
67: match one of the patterns given in the specification.
1.193 djm 68: The matched host name is usually the one given on the command line
69: (see the
70: .Cm CanonicalizeHostname
1.240 jmc 71: option for exceptions).
1.1 stevesk 72: .Pp
73: Since the first obtained value for each parameter is used, more
74: host-specific declarations should be given near the beginning of the
75: file, and general defaults at the end.
1.80 jmc 76: .Pp
1.240 jmc 77: The file contains keyword-argument pairs, one per line.
78: Lines starting with
1.1 stevesk 79: .Ql #
1.240 jmc 80: and empty lines are interpreted as comments.
81: Arguments may optionally be enclosed in double quotes
82: .Pq \&"
83: in order to represent arguments containing spaces.
1.1 stevesk 84: Configuration options may be separated by whitespace or
85: optional whitespace and exactly one
86: .Ql = ;
87: the latter format is useful to avoid the need to quote whitespace
88: when specifying configuration options using the
89: .Nm ssh ,
1.87 jmc 90: .Nm scp ,
1.1 stevesk 91: and
92: .Nm sftp
93: .Fl o
94: option.
95: .Pp
96: The possible
97: keywords and their meanings are as follows (note that
98: keywords are case-insensitive and arguments are case-sensitive):
99: .Bl -tag -width Ds
100: .It Cm Host
101: Restricts the following declarations (up to the next
102: .Cm Host
1.169 djm 103: or
104: .Cm Match
1.1 stevesk 105: keyword) to be only for those hosts that match one of the patterns
106: given after the keyword.
1.112 krw 107: If more than one pattern is provided, they should be separated by whitespace.
1.1 stevesk 108: A single
1.83 jmc 109: .Ql *
1.1 stevesk 110: as a pattern can be used to provide global
111: defaults for all hosts.
1.193 djm 112: The host is usually the
1.1 stevesk 113: .Ar hostname
1.193 djm 114: argument given on the command line
115: (see the
116: .Cm CanonicalizeHostname
1.240 jmc 117: keyword for exceptions).
1.148 djm 118: .Pp
119: A pattern entry may be negated by prefixing it with an exclamation mark
120: .Pq Sq !\& .
121: If a negated entry is matched, then the
122: .Cm Host
123: entry is ignored, regardless of whether any other patterns on the line
124: match.
125: Negated matches are therefore useful to provide exceptions for wildcard
126: matches.
1.81 jmc 127: .Pp
128: See
129: .Sx PATTERNS
130: for more information on patterns.
1.170 jmc 131: .It Cm Match
1.169 djm 132: Restricts the following declarations (up to the next
133: .Cm Host
134: or
135: .Cm Match
136: keyword) to be used only when the conditions following the
137: .Cm Match
138: keyword are satisfied.
1.220 sobrado 139: Match conditions are specified using one or more criteria
1.178 dtucker 140: or the single token
141: .Cm all
1.193 djm 142: which always matches.
143: The available criteria keywords are:
144: .Cm canonical ,
1.176 djm 145: .Cm exec ,
1.169 djm 146: .Cm host ,
147: .Cm originalhost ,
148: .Cm user ,
149: and
150: .Cm localuser .
1.193 djm 151: The
152: .Cm all
153: criteria must appear alone or immediately after
1.194 jmc 154: .Cm canonical .
1.193 djm 155: Other criteria may be combined arbitrarily.
156: All criteria but
157: .Cm all
158: and
159: .Cm canonical
160: require an argument.
161: Criteria may be negated by prepending an exclamation mark
162: .Pq Sq !\& .
1.169 djm 163: .Pp
1.177 jmc 164: The
1.193 djm 165: .Cm canonical
1.210 dtucker 166: keyword matches only when the configuration file is being re-parsed
1.193 djm 167: after hostname canonicalization (see the
168: .Cm CanonicalizeHostname
169: option.)
170: This may be useful to specify conditions that work with canonical host
171: names only.
172: The
1.176 djm 173: .Cm exec
1.177 jmc 174: keyword executes the specified command under the user's shell.
1.169 djm 175: If the command returns a zero exit status then the condition is considered true.
176: Commands containing whitespace characters must be quoted.
1.239 jmc 177: Arguments to
178: .Cm exec
179: accept the tokens described in the
180: .Sx TOKENS
181: section.
1.169 djm 182: .Pp
183: The other keywords' criteria must be single entries or comma-separated
184: lists and may use the wildcard and negation operators described in the
185: .Sx PATTERNS
186: section.
187: The criteria for the
188: .Cm host
189: keyword are matched against the target hostname, after any substitution
190: by the
191: .Cm Hostname
1.193 djm 192: or
193: .Cm CanonicalizeHostname
194: options.
1.169 djm 195: The
196: .Cm originalhost
197: keyword matches against the hostname as it was specified on the command-line.
198: The
199: .Cm user
200: keyword matches against the target username on the remote host.
201: The
202: .Cm localuser
203: keyword matches against the name of the local user running
204: .Xr ssh 1
205: (this keyword may be useful in system-wide
206: .Nm
207: files).
1.222 jcs 208: .It Cm AddKeysToAgent
209: Specifies whether keys should be automatically added to a running
1.223 jmc 210: .Xr ssh-agent 1 .
1.222 jcs 211: If this option is set to
1.240 jmc 212: .Cm yes
1.222 jcs 213: and a key is loaded from a file, the key and its passphrase are added to
214: the agent with the default lifetime, as if by
215: .Xr ssh-add 1 .
216: If this option is set to
1.240 jmc 217: .Cm ask ,
218: .Xr ssh 1
1.222 jcs 219: will require confirmation using the
220: .Ev SSH_ASKPASS
221: program before adding a key (see
222: .Xr ssh-add 1
223: for details).
224: If this option is set to
1.240 jmc 225: .Cm confirm ,
1.222 jcs 226: each use of the key must be confirmed, as if the
227: .Fl c
228: option was specified to
229: .Xr ssh-add 1 .
230: If this option is set to
1.240 jmc 231: .Cm no ,
1.222 jcs 232: no keys are added to the agent.
233: The argument must be
1.240 jmc 234: .Cm yes ,
235: .Cm confirm ,
236: .Cm ask ,
1.222 jcs 237: or
1.240 jmc 238: .Cm no
239: (the default).
1.10 djm 240: .It Cm AddressFamily
1.11 jmc 241: Specifies which address family to use when connecting.
242: Valid arguments are
1.240 jmc 243: .Cm any
244: (the default),
245: .Cm inet
1.84 jmc 246: (use IPv4 only), or
1.240 jmc 247: .Cm inet6
1.40 jmc 248: (use IPv6 only).
1.1 stevesk 249: .It Cm BatchMode
250: If set to
1.240 jmc 251: .Cm yes ,
1.1 stevesk 252: passphrase/password querying will be disabled.
253: This option is useful in scripts and other batch jobs where no user
254: is present to supply the password.
255: The argument must be
1.240 jmc 256: .Cm yes
1.1 stevesk 257: or
1.240 jmc 258: .Cm no
259: (the default).
1.1 stevesk 260: .It Cm BindAddress
1.60 dtucker 261: Use the specified address on the local machine as the source address of
1.61 jmc 262: the connection.
263: Only useful on systems with more than one address.
1.1 stevesk 264: Note that this option does not work if
265: .Cm UsePrivilegedPort
266: is set to
1.240 jmc 267: .Cm yes .
1.171 djm 268: .It Cm CanonicalDomains
1.172 jmc 269: When
1.173 djm 270: .Cm CanonicalizeHostname
1.171 djm 271: is enabled, this option specifies the list of domain suffixes in which to
272: search for the specified destination host.
1.173 djm 273: .It Cm CanonicalizeFallbackLocal
1.174 djm 274: Specifies whether to fail with an error when hostname canonicalization fails.
1.172 jmc 275: The default,
1.240 jmc 276: .Cm yes ,
1.172 jmc 277: will attempt to look up the unqualified hostname using the system resolver's
1.171 djm 278: search rules.
279: A value of
1.240 jmc 280: .Cm no
1.171 djm 281: will cause
282: .Xr ssh 1
283: to fail instantly if
1.173 djm 284: .Cm CanonicalizeHostname
1.171 djm 285: is enabled and the target hostname cannot be found in any of the domains
286: specified by
287: .Cm CanonicalDomains .
1.173 djm 288: .It Cm CanonicalizeHostname
1.174 djm 289: Controls whether explicit hostname canonicalization is performed.
1.172 jmc 290: The default,
1.240 jmc 291: .Cm no ,
1.171 djm 292: is not to perform any name rewriting and let the system resolver handle all
293: hostname lookups.
294: If set to
1.240 jmc 295: .Cm yes
1.171 djm 296: then, for connections that do not use a
297: .Cm ProxyCommand ,
298: .Xr ssh 1
1.173 djm 299: will attempt to canonicalize the hostname specified on the command line
1.171 djm 300: using the
301: .Cm CanonicalDomains
302: suffixes and
1.173 djm 303: .Cm CanonicalizePermittedCNAMEs
1.171 djm 304: rules.
305: If
1.173 djm 306: .Cm CanonicalizeHostname
1.171 djm 307: is set to
1.240 jmc 308: .Cm always ,
1.174 djm 309: then canonicalization is applied to proxied connections too.
1.185 djm 310: .Pp
1.193 djm 311: If this option is enabled, then the configuration files are processed
312: again using the new target name to pick up any new configuration in matching
1.185 djm 313: .Cm Host
1.193 djm 314: and
315: .Cm Match
1.185 djm 316: stanzas.
1.173 djm 317: .It Cm CanonicalizeMaxDots
1.172 jmc 318: Specifies the maximum number of dot characters in a hostname before
1.174 djm 319: canonicalization is disabled.
1.240 jmc 320: The default, 1,
1.172 jmc 321: allows a single dot (i.e. hostname.subdomain).
1.173 djm 322: .It Cm CanonicalizePermittedCNAMEs
1.172 jmc 323: Specifies rules to determine whether CNAMEs should be followed when
1.173 djm 324: canonicalizing hostnames.
1.171 djm 325: The rules consist of one or more arguments of
1.172 jmc 326: .Ar source_domain_list : Ns Ar target_domain_list ,
1.171 djm 327: where
328: .Ar source_domain_list
1.174 djm 329: is a pattern-list of domains that may follow CNAMEs in canonicalization,
1.171 djm 330: and
331: .Ar target_domain_list
1.172 jmc 332: is a pattern-list of domains that they may resolve to.
1.171 djm 333: .Pp
334: For example,
1.240 jmc 335: .Qq *.a.example.com:*.b.example.com,*.c.example.com
1.171 djm 336: will allow hostnames matching
1.240 jmc 337: .Qq *.a.example.com
1.173 djm 338: to be canonicalized to names in the
1.240 jmc 339: .Qq *.b.example.com
1.171 djm 340: or
1.240 jmc 341: .Qq *.c.example.com
1.171 djm 342: domains.
1.221 djm 343: .It Cm CertificateFile
344: Specifies a file from which the user's certificate is read.
345: A corresponding private key must be provided separately in order
346: to use this certificate either
347: from an
348: .Cm IdentityFile
349: directive or
350: .Fl i
351: flag to
352: .Xr ssh 1 ,
353: via
354: .Xr ssh-agent 1 ,
355: or via a
356: .Cm PKCS11Provider .
357: .Pp
1.239 jmc 358: Arguments to
359: .Cm CertificateFile
360: may use the tilde syntax to refer to a user's home directory
361: or the tokens described in the
362: .Sx TOKENS
363: section.
1.221 djm 364: .Pp
365: It is possible to have multiple certificate files specified in
366: configuration files; these certificates will be tried in sequence.
367: Multiple
368: .Cm CertificateFile
369: directives will add to the list of certificates used for
370: authentication.
1.1 stevesk 371: .It Cm ChallengeResponseAuthentication
1.82 jmc 372: Specifies whether to use challenge-response authentication.
1.1 stevesk 373: The argument to this keyword must be
1.240 jmc 374: .Cm yes
375: (the default)
1.1 stevesk 376: or
1.240 jmc 377: .Cm no .
1.1 stevesk 378: .It Cm CheckHostIP
1.240 jmc 379: If set to
380: .Cm yes
381: (the default),
1.84 jmc 382: .Xr ssh 1
383: will additionally check the host IP address in the
1.1 stevesk 384: .Pa known_hosts
385: file.
1.240 jmc 386: This allows it to detect if a host key changed due to DNS spoofing
1.211 djm 387: and will add addresses of destination hosts to
388: .Pa ~/.ssh/known_hosts
389: in the process, regardless of the setting of
390: .Cm StrictHostKeyChecking .
1.107 grunk 391: If the option is set to
1.240 jmc 392: .Cm no ,
1.1 stevesk 393: the check will not be executed.
394: .It Cm Cipher
395: Specifies the cipher to use for encrypting the session
396: in protocol version 1.
397: Currently,
1.240 jmc 398: .Cm blowfish ,
399: .Cm 3des
400: (the default),
1.1 stevesk 401: and
1.240 jmc 402: .Cm des
403: are supported,
404: though
405: .Cm des
1.1 stevesk 406: is only supported in the
1.84 jmc 407: .Xr ssh 1
1.240 jmc 408: client for interoperability with legacy protocol 1 implementations;
409: its use is strongly discouraged due to cryptographic weaknesses.
1.1 stevesk 410: .It Cm Ciphers
411: Specifies the ciphers allowed for protocol version 2
412: in order of preference.
413: Multiple ciphers must be comma-separated.
1.214 djm 414: If the specified value begins with a
415: .Sq +
416: character, then the specified ciphers will be appended to the default set
417: instead of replacing them.
1.241 djm 418: If the specified value begins with a
419: .Sq -
420: character, then the specified ciphers (including wildcards) will be removed
421: from the default set instead of replacing them.
1.214 djm 422: .Pp
1.180 djm 423: The supported ciphers are:
1.240 jmc 424: .Bd -literal -offset indent
1.186 naddy 425: 3des-cbc
426: aes128-cbc
427: aes192-cbc
428: aes256-cbc
429: aes128-ctr
430: aes192-ctr
431: aes256-ctr
432: aes128-gcm@openssh.com
433: aes256-gcm@openssh.com
434: arcfour
435: arcfour128
436: arcfour256
437: blowfish-cbc
438: cast128-cbc
439: chacha20-poly1305@openssh.com
1.240 jmc 440: .Ed
1.180 djm 441: .Pp
1.84 jmc 442: The default is:
1.186 naddy 443: .Bd -literal -offset indent
1.215 jmc 444: chacha20-poly1305@openssh.com,
1.186 naddy 445: aes128-ctr,aes192-ctr,aes256-ctr,
1.161 markus 446: aes128-gcm@openssh.com,aes256-gcm@openssh.com,
1.237 djm 447: aes128-cbc,aes192-cbc,aes256-cbc
1.1 stevesk 448: .Ed
1.180 djm 449: .Pp
1.240 jmc 450: The list of available ciphers may also be obtained using
451: .Qq ssh -Q cipher .
1.1 stevesk 452: .It Cm ClearAllForwardings
1.84 jmc 453: Specifies that all local, remote, and dynamic port forwardings
1.1 stevesk 454: specified in the configuration files or on the command line be
1.7 jmc 455: cleared.
456: This option is primarily useful when used from the
1.84 jmc 457: .Xr ssh 1
1.1 stevesk 458: command line to clear port forwardings set in
459: configuration files, and is automatically set by
460: .Xr scp 1
461: and
462: .Xr sftp 1 .
463: The argument must be
1.240 jmc 464: .Cm yes
1.1 stevesk 465: or
1.240 jmc 466: .Cm no
467: (the default).
1.1 stevesk 468: .It Cm Compression
469: Specifies whether to use compression.
470: The argument must be
1.240 jmc 471: .Cm yes
1.1 stevesk 472: or
1.240 jmc 473: .Cm no
474: (the default).
1.1 stevesk 475: .It Cm CompressionLevel
476: Specifies the compression level to use if compression is enabled.
477: The argument must be an integer from 1 (fast) to 9 (slow, best).
478: The default level is 6, which is good for most applications.
479: The meaning of the values is the same as in
480: .Xr gzip 1 .
481: Note that this option applies to protocol version 1 only.
482: .It Cm ConnectionAttempts
483: Specifies the number of tries (one per second) to make before exiting.
484: The argument must be an integer.
485: This may be useful in scripts if the connection sometimes fails.
486: The default is 1.
1.9 djm 487: .It Cm ConnectTimeout
1.84 jmc 488: Specifies the timeout (in seconds) used when connecting to the
489: SSH server, instead of using the default system TCP timeout.
1.11 jmc 490: This value is used only when the target is down or really unreachable,
491: not when it refuses the connection.
1.36 djm 492: .It Cm ControlMaster
493: Enables the sharing of multiple sessions over a single network connection.
494: When set to
1.240 jmc 495: .Cm yes ,
1.84 jmc 496: .Xr ssh 1
1.36 djm 497: will listen for connections on a control socket specified using the
498: .Cm ControlPath
499: argument.
500: Additional sessions can connect to this socket using the same
501: .Cm ControlPath
502: with
503: .Cm ControlMaster
504: set to
1.240 jmc 505: .Cm no
1.38 jmc 506: (the default).
1.64 jmc 507: These sessions will try to reuse the master instance's network connection
1.63 djm 508: rather than initiating new ones, but will fall back to connecting normally
509: if the control socket does not exist, or is not listening.
510: .Pp
1.37 djm 511: Setting this to
1.240 jmc 512: .Cm ask
513: will cause
514: .Xr ssh 1
1.206 jmc 515: to listen for control connections, but require confirmation using
516: .Xr ssh-askpass 1 .
1.51 jakob 517: If the
518: .Cm ControlPath
1.84 jmc 519: cannot be opened,
1.240 jmc 520: .Xr ssh 1
521: will continue without connecting to a master instance.
1.58 djm 522: .Pp
523: X11 and
1.59 jmc 524: .Xr ssh-agent 1
1.58 djm 525: forwarding is supported over these multiplexed connections, however the
1.70 stevesk 526: display and agent forwarded will be the one belonging to the master
1.59 jmc 527: connection i.e. it is not possible to forward multiple displays or agents.
1.56 djm 528: .Pp
529: Two additional options allow for opportunistic multiplexing: try to use a
530: master connection but fall back to creating a new one if one does not already
531: exist.
532: These options are:
1.240 jmc 533: .Cm auto
1.56 djm 534: and
1.240 jmc 535: .Cm autoask .
1.56 djm 536: The latter requires confirmation like the
1.240 jmc 537: .Cm ask
1.56 djm 538: option.
1.36 djm 539: .It Cm ControlPath
1.55 djm 540: Specify the path to the control socket used for connection sharing as described
541: in the
1.36 djm 542: .Cm ControlMaster
1.57 djm 543: section above or the string
1.240 jmc 544: .Cm none
1.57 djm 545: to disable connection sharing.
1.239 jmc 546: Arguments to
547: .Cm ControlPath
548: may use the tilde syntax to refer to a user's home directory
549: or the tokens described in the
550: .Sx TOKENS
551: section.
1.56 djm 552: It is recommended that any
553: .Cm ControlPath
554: used for opportunistic connection sharing include
1.195 djm 555: at least %h, %p, and %r (or alternatively %C) and be placed in a directory
556: that is not writable by other users.
1.56 djm 557: This ensures that shared connections are uniquely identified.
1.137 djm 558: .It Cm ControlPersist
559: When used in conjunction with
560: .Cm ControlMaster ,
561: specifies that the master connection should remain open
562: in the background (waiting for future client connections)
563: after the initial client connection has been closed.
564: If set to
1.240 jmc 565: .Cm no ,
1.137 djm 566: then the master connection will not be placed into the background,
567: and will close as soon as the initial client connection is closed.
568: If set to
1.240 jmc 569: .Cm yes
570: or 0,
1.137 djm 571: then the master connection will remain in the background indefinitely
572: (until killed or closed via a mechanism such as the
1.240 jmc 573: .Qq ssh -O exit ) .
1.137 djm 574: If set to a time in seconds, or a time in any of the formats documented in
575: .Xr sshd_config 5 ,
576: then the backgrounded master connection will automatically terminate
577: after it has remained idle (with no client connections) for the
578: specified time.
1.38 jmc 579: .It Cm DynamicForward
1.74 jmc 580: Specifies that a TCP port on the local machine be forwarded
1.38 jmc 581: over the secure channel, and the application
582: protocol is then used to determine where to connect to from the
583: remote machine.
1.62 djm 584: .Pp
585: The argument must be
586: .Sm off
587: .Oo Ar bind_address : Oc Ar port .
588: .Sm on
1.138 djm 589: IPv6 addresses can be specified by enclosing addresses in square brackets.
1.62 djm 590: By default, the local port is bound in accordance with the
591: .Cm GatewayPorts
592: setting.
593: However, an explicit
594: .Ar bind_address
595: may be used to bind the connection to a specific address.
596: The
597: .Ar bind_address
598: of
1.240 jmc 599: .Cm localhost
1.62 djm 600: indicates that the listening port be bound for local use only, while an
601: empty address or
602: .Sq *
603: indicates that the port should be available from all interfaces.
604: .Pp
1.38 jmc 605: Currently the SOCKS4 and SOCKS5 protocols are supported, and
1.84 jmc 606: .Xr ssh 1
1.38 jmc 607: will act as a SOCKS server.
608: Multiple forwardings may be specified, and
609: additional forwardings can be given on the command line.
610: Only the superuser can forward privileged ports.
1.14 markus 611: .It Cm EnableSSHKeysign
612: Setting this option to
1.240 jmc 613: .Cm yes
1.14 markus 614: in the global client configuration file
615: .Pa /etc/ssh/ssh_config
616: enables the use of the helper program
617: .Xr ssh-keysign 8
618: during
619: .Cm HostbasedAuthentication .
620: The argument must be
1.240 jmc 621: .Cm yes
1.14 markus 622: or
1.240 jmc 623: .Cm no
624: (the default).
1.23 jmc 625: This option should be placed in the non-hostspecific section.
1.14 markus 626: See
627: .Xr ssh-keysign 8
628: for more information.
1.1 stevesk 629: .It Cm EscapeChar
630: Sets the escape character (default:
631: .Ql ~ ) .
632: The escape character can also
633: be set on the command line.
634: The argument should be a single character,
635: .Ql ^
636: followed by a letter, or
1.240 jmc 637: .Cm none
1.1 stevesk 638: to disable the escape
639: character entirely (making the connection transparent for binary
640: data).
1.96 markus 641: .It Cm ExitOnForwardFailure
642: Specifies whether
643: .Xr ssh 1
644: should terminate the connection if it cannot set up all requested
1.216 djm 645: dynamic, tunnel, local, and remote port forwardings, (e.g.\&
1.217 jmc 646: if either end is unable to bind and listen on a specified port).
1.216 djm 647: Note that
648: .Cm ExitOnForwardFailure
649: does not apply to connections made over port forwardings and will not,
650: for example, cause
651: .Xr ssh 1
652: to exit if TCP connections to the ultimate forwarding destination fail.
1.96 markus 653: The argument must be
1.240 jmc 654: .Cm yes
1.96 markus 655: or
1.240 jmc 656: .Cm no
657: (the default).
1.197 djm 658: .It Cm FingerprintHash
659: Specifies the hash algorithm used when displaying key fingerprints.
660: Valid options are:
1.240 jmc 661: .Cm md5
1.197 djm 662: and
1.240 jmc 663: .Cm sha256
664: (the default).
1.1 stevesk 665: .It Cm ForwardAgent
666: Specifies whether the connection to the authentication agent (if any)
667: will be forwarded to the remote machine.
668: The argument must be
1.240 jmc 669: .Cm yes
1.1 stevesk 670: or
1.240 jmc 671: .Cm no
672: (the default).
1.3 stevesk 673: .Pp
1.7 jmc 674: Agent forwarding should be enabled with caution.
675: Users with the ability to bypass file permissions on the remote host
676: (for the agent's Unix-domain socket)
677: can access the local agent through the forwarded connection.
678: An attacker cannot obtain key material from the agent,
1.3 stevesk 679: however they can perform operations on the keys that enable them to
680: authenticate using the identities loaded into the agent.
1.1 stevesk 681: .It Cm ForwardX11
682: Specifies whether X11 connections will be automatically redirected
683: over the secure channel and
684: .Ev DISPLAY
685: set.
686: The argument must be
1.240 jmc 687: .Cm yes
1.1 stevesk 688: or
1.240 jmc 689: .Cm no
690: (the default).
1.3 stevesk 691: .Pp
1.7 jmc 692: X11 forwarding should be enabled with caution.
693: Users with the ability to bypass file permissions on the remote host
1.22 markus 694: (for the user's X11 authorization database)
1.7 jmc 695: can access the local X11 display through the forwarded connection.
1.22 markus 696: An attacker may then be able to perform activities such as keystroke monitoring
697: if the
698: .Cm ForwardX11Trusted
699: option is also enabled.
1.134 djm 700: .It Cm ForwardX11Timeout
1.135 jmc 701: Specify a timeout for untrusted X11 forwarding
702: using the format described in the
1.240 jmc 703: .Sx TIME FORMATS
704: section of
1.134 djm 705: .Xr sshd_config 5 .
706: X11 connections received by
707: .Xr ssh 1
708: after this time will be refused.
709: The default is to disable untrusted X11 forwarding after twenty minutes has
710: elapsed.
1.22 markus 711: .It Cm ForwardX11Trusted
1.34 jmc 712: If this option is set to
1.240 jmc 713: .Cm yes ,
1.84 jmc 714: remote X11 clients will have full access to the original X11 display.
1.42 djm 715: .Pp
1.22 markus 716: If this option is set to
1.240 jmc 717: .Cm no
718: (the default),
1.84 jmc 719: remote X11 clients will be considered untrusted and prevented
1.22 markus 720: from stealing or tampering with data belonging to trusted X11
721: clients.
1.42 djm 722: Furthermore, the
723: .Xr xauth 1
724: token used for the session will be set to expire after 20 minutes.
725: Remote clients will be refused access after this time.
1.22 markus 726: .Pp
727: See the X11 SECURITY extension specification for full details on
728: the restrictions imposed on untrusted clients.
1.1 stevesk 729: .It Cm GatewayPorts
730: Specifies whether remote hosts are allowed to connect to local
731: forwarded ports.
732: By default,
1.84 jmc 733: .Xr ssh 1
1.7 jmc 734: binds local port forwardings to the loopback address.
735: This prevents other remote hosts from connecting to forwarded ports.
1.1 stevesk 736: .Cm GatewayPorts
1.84 jmc 737: can be used to specify that ssh
1.1 stevesk 738: should bind local port forwardings to the wildcard address,
739: thus allowing remote hosts to connect to forwarded ports.
740: The argument must be
1.240 jmc 741: .Cm yes
1.1 stevesk 742: or
1.240 jmc 743: .Cm no
744: (the default).
1.1 stevesk 745: .It Cm GlobalKnownHostsFile
1.151 djm 746: Specifies one or more files to use for the global
747: host key database, separated by whitespace.
748: The default is
749: .Pa /etc/ssh/ssh_known_hosts ,
750: .Pa /etc/ssh/ssh_known_hosts2 .
1.18 markus 751: .It Cm GSSAPIAuthentication
1.27 markus 752: Specifies whether user authentication based on GSSAPI is allowed.
1.20 jmc 753: The default is
1.240 jmc 754: .Cm no .
1.18 markus 755: .It Cm GSSAPIDelegateCredentials
756: Forward (delegate) credentials to the server.
757: The default is
1.240 jmc 758: .Cm no .
1.44 djm 759: .It Cm HashKnownHosts
760: Indicates that
1.84 jmc 761: .Xr ssh 1
1.44 djm 762: should hash host names and addresses when they are added to
1.50 djm 763: .Pa ~/.ssh/known_hosts .
1.44 djm 764: These hashed names may be used normally by
1.84 jmc 765: .Xr ssh 1
1.44 djm 766: and
1.84 jmc 767: .Xr sshd 8 ,
1.44 djm 768: but they do not reveal identifying information should the file's contents
769: be disclosed.
770: The default is
1.240 jmc 771: .Cm no .
1.97 jmc 772: Note that existing names and addresses in known hosts files
773: will not be converted automatically,
774: but may be manually hashed using
1.45 djm 775: .Xr ssh-keygen 1 .
1.1 stevesk 776: .It Cm HostbasedAuthentication
777: Specifies whether to try rhosts based authentication with public key
778: authentication.
779: The argument must be
1.240 jmc 780: .Cm yes
1.1 stevesk 781: or
1.240 jmc 782: .Cm no
783: (the default).
1.202 djm 784: .It Cm HostbasedKeyTypes
785: Specifies the key types that will be used for hostbased authentication
786: as a comma-separated pattern list.
1.214 djm 787: Alternately if the specified value begins with a
788: .Sq +
789: character, then the specified key types will be appended to the default set
790: instead of replacing them.
1.241 djm 791: If the specified value begins with a
792: .Sq -
793: character, then the specified key types (including wildcards) will be removed
794: from the default set instead of replacing them.
1.213 markus 795: The default for this option is:
796: .Bd -literal -offset 3n
797: ecdsa-sha2-nistp256-cert-v01@openssh.com,
798: ecdsa-sha2-nistp384-cert-v01@openssh.com,
799: ecdsa-sha2-nistp521-cert-v01@openssh.com,
800: ssh-ed25519-cert-v01@openssh.com,
801: ssh-rsa-cert-v01@openssh.com,
802: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1.227 djm 803: ssh-ed25519,ssh-rsa
1.213 markus 804: .Ed
805: .Pp
1.202 djm 806: The
807: .Fl Q
808: option of
809: .Xr ssh 1
810: may be used to list supported key types.
1.1 stevesk 811: .It Cm HostKeyAlgorithms
1.226 jmc 812: Specifies the host key algorithms
1.1 stevesk 813: that the client wants to use in order of preference.
1.214 djm 814: Alternately if the specified value begins with a
815: .Sq +
816: character, then the specified key types will be appended to the default set
817: instead of replacing them.
1.241 djm 818: If the specified value begins with a
819: .Sq -
820: character, then the specified key types (including wildcards) will be removed
821: from the default set instead of replacing them.
1.1 stevesk 822: The default for this option is:
1.139 djm 823: .Bd -literal -offset 3n
824: ecdsa-sha2-nistp256-cert-v01@openssh.com,
825: ecdsa-sha2-nistp384-cert-v01@openssh.com,
826: ecdsa-sha2-nistp521-cert-v01@openssh.com,
1.183 naddy 827: ssh-ed25519-cert-v01@openssh.com,
1.213 markus 828: ssh-rsa-cert-v01@openssh.com,
1.139 djm 829: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1.227 djm 830: ssh-ed25519,ssh-rsa
1.139 djm 831: .Ed
1.145 djm 832: .Pp
833: If hostkeys are known for the destination host then this default is modified
834: to prefer their algorithms.
1.198 djm 835: .Pp
1.240 jmc 836: The list of available key types may also be obtained using
837: .Qq ssh -Q key .
1.1 stevesk 838: .It Cm HostKeyAlias
839: Specifies an alias that should be used instead of the
840: real host name when looking up or saving the host key
841: in the host key database files.
1.84 jmc 842: This option is useful for tunneling SSH connections
1.1 stevesk 843: or for multiple servers running on a single host.
844: .It Cm HostName
845: Specifies the real host name to log into.
846: This can be used to specify nicknames or abbreviations for hosts.
1.239 jmc 847: Arguments to
848: .Cm HostName
849: accept the tokens described in the
850: .Sx TOKENS
851: section.
1.1 stevesk 852: Numeric IP addresses are also permitted (both on the command line and in
853: .Cm HostName
854: specifications).
1.239 jmc 855: The default is the name given on the command line.
1.29 markus 856: .It Cm IdentitiesOnly
857: Specifies that
1.84 jmc 858: .Xr ssh 1
1.221 djm 859: should only use the authentication identity and certificate files explicitly
860: configured in the
1.31 jmc 861: .Nm
1.221 djm 862: files
863: or passed on the
864: .Xr ssh 1
865: command-line,
1.84 jmc 866: even if
867: .Xr ssh-agent 1
1.159 djm 868: or a
869: .Cm PKCS11Provider
1.29 markus 870: offers more identities.
871: The argument to this keyword must be
1.240 jmc 872: .Cm yes
1.29 markus 873: or
1.240 jmc 874: .Cm no
875: (the default).
1.84 jmc 876: This option is intended for situations where ssh-agent
1.29 markus 877: offers many different identities.
1.231 markus 878: .It Cm IdentityAgent
879: Specifies the
880: .Ux Ns -domain
881: socket used to communicate with the authentication agent.
882: .Pp
883: This option overrides the
1.240 jmc 884: .Ev SSH_AUTH_SOCK
1.231 markus 885: environment variable and can be used to select a specific agent.
886: Setting the socket name to
1.240 jmc 887: .Cm none
1.231 markus 888: disables the use of an authentication agent.
1.232 markus 889: If the string
1.240 jmc 890: .Qq SSH_AUTH_SOCK
1.232 markus 891: is specified, the location of the socket will be read from the
892: .Ev SSH_AUTH_SOCK
893: environment variable.
1.231 markus 894: .Pp
1.239 jmc 895: Arguments to
896: .Cm IdentityAgent
897: may use the tilde syntax to refer to a user's home directory
898: or the tokens described in the
899: .Sx TOKENS
900: section.
1.67 jmc 901: .It Cm IdentityFile
1.192 sobrado 902: Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication
1.139 djm 903: identity is read.
1.67 jmc 904: The default is
905: .Pa ~/.ssh/identity
906: for protocol version 1, and
1.139 djm 907: .Pa ~/.ssh/id_dsa ,
1.183 naddy 908: .Pa ~/.ssh/id_ecdsa ,
909: .Pa ~/.ssh/id_ed25519
1.139 djm 910: and
1.67 jmc 911: .Pa ~/.ssh/id_rsa
912: for protocol version 2.
913: Additionally, any identities represented by the authentication agent
1.165 djm 914: will be used for authentication unless
915: .Cm IdentitiesOnly
916: is set.
1.221 djm 917: If no certificates have been explicitly specified by
918: .Cm CertificateFile ,
1.129 djm 919: .Xr ssh 1
920: will try to load certificate information from the filename obtained by
921: appending
922: .Pa -cert.pub
923: to the path of a specified
924: .Cm IdentityFile .
1.90 djm 925: .Pp
1.239 jmc 926: Arguments to
927: .Cm IdentityFile
928: may use the tilde syntax to refer to a user's home directory
929: or the tokens described in the
930: .Sx TOKENS
931: section.
1.90 djm 932: .Pp
1.67 jmc 933: It is possible to have
934: multiple identity files specified in configuration files; all these
935: identities will be tried in sequence.
1.152 djm 936: Multiple
937: .Cm IdentityFile
938: directives will add to the list of identities tried (this behaviour
939: differs from that of other configuration directives).
1.165 djm 940: .Pp
941: .Cm IdentityFile
942: may be used in conjunction with
943: .Cm IdentitiesOnly
944: to select which identities in an agent are offered during authentication.
1.221 djm 945: .Cm IdentityFile
946: may also be used in conjunction with
947: .Cm CertificateFile
948: in order to provide any certificate also needed for authentication with
949: the identity.
1.164 jmc 950: .It Cm IgnoreUnknown
951: Specifies a pattern-list of unknown options to be ignored if they are
952: encountered in configuration parsing.
953: This may be used to suppress errors if
954: .Nm
955: contains options that are unrecognised by
956: .Xr ssh 1 .
957: It is recommended that
958: .Cm IgnoreUnknown
959: be listed early in the configuration file as it will not be applied
960: to unknown options that appear before it.
1.229 djm 961: .It Cm Include
962: Include the specified configuration file(s).
1.230 jmc 963: Multiple pathnames may be specified and each pathname may contain
1.229 djm 964: .Xr glob 3
965: wildcards and, for user configurations, shell-like
1.240 jmc 966: .Sq ~
1.229 djm 967: references to user home directories.
968: Files without absolute paths are assumed to be in
969: .Pa ~/.ssh
1.230 jmc 970: if included in a user configuration file or
1.229 djm 971: .Pa /etc/ssh
972: if included from the system configuration file.
973: .Cm Include
974: directive may appear inside a
975: .Cm Match
976: or
977: .Cm Host
978: block
979: to perform conditional inclusion.
1.143 djm 980: .It Cm IPQoS
981: Specifies the IPv4 type-of-service or DSCP class for connections.
982: Accepted values are
1.240 jmc 983: .Cm af11 ,
984: .Cm af12 ,
985: .Cm af13 ,
986: .Cm af21 ,
987: .Cm af22 ,
988: .Cm af23 ,
989: .Cm af31 ,
990: .Cm af32 ,
991: .Cm af33 ,
992: .Cm af41 ,
993: .Cm af42 ,
994: .Cm af43 ,
995: .Cm cs0 ,
996: .Cm cs1 ,
997: .Cm cs2 ,
998: .Cm cs3 ,
999: .Cm cs4 ,
1000: .Cm cs5 ,
1001: .Cm cs6 ,
1002: .Cm cs7 ,
1003: .Cm ef ,
1004: .Cm lowdelay ,
1005: .Cm throughput ,
1006: .Cm reliability ,
1.143 djm 1007: or a numeric value.
1.146 djm 1008: This option may take one or two arguments, separated by whitespace.
1.143 djm 1009: If one argument is specified, it is used as the packet class unconditionally.
1010: If two values are specified, the first is automatically selected for
1011: interactive sessions and the second for non-interactive sessions.
1012: The default is
1.240 jmc 1013: .Cm lowdelay
1.143 djm 1014: for interactive sessions and
1.240 jmc 1015: .Cm throughput
1.143 djm 1016: for non-interactive sessions.
1.103 djm 1017: .It Cm KbdInteractiveAuthentication
1018: Specifies whether to use keyboard-interactive authentication.
1019: The argument to this keyword must be
1.240 jmc 1020: .Cm yes
1021: (the default)
1.103 djm 1022: or
1.240 jmc 1023: .Cm no .
1.39 djm 1024: .It Cm KbdInteractiveDevices
1025: Specifies the list of methods to use in keyboard-interactive authentication.
1026: Multiple method names must be comma-separated.
1027: The default is to use the server specified list.
1.85 jmc 1028: The methods available vary depending on what the server supports.
1029: For an OpenSSH server,
1030: it may be zero or more of:
1.240 jmc 1031: .Cm bsdauth ,
1032: .Cm pam ,
1.85 jmc 1033: and
1.240 jmc 1034: .Cm skey .
1.140 djm 1035: .It Cm KexAlgorithms
1036: Specifies the available KEX (Key Exchange) algorithms.
1037: Multiple algorithms must be comma-separated.
1.214 djm 1038: Alternately if the specified value begins with a
1039: .Sq +
1040: character, then the specified methods will be appended to the default set
1041: instead of replacing them.
1.241 djm 1042: If the specified value begins with a
1043: .Sq -
1044: character, then the specified methods (including wildcards) will be removed
1045: from the default set instead of replacing them.
1.141 jmc 1046: The default is:
1047: .Bd -literal -offset indent
1.238 djm 1048: curve25519-sha256,curve25519-sha256@libssh.org,
1.141 jmc 1049: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
1050: diffie-hellman-group-exchange-sha256,
1.209 dtucker 1051: diffie-hellman-group-exchange-sha1,
1.212 djm 1052: diffie-hellman-group14-sha1
1.141 jmc 1053: .Ed
1.198 djm 1054: .Pp
1.240 jmc 1055: The list of available key exchange algorithms may also be obtained using
1056: .Qq ssh -Q kex .
1.65 reyk 1057: .It Cm LocalCommand
1058: Specifies a command to execute on the local machine after successfully
1059: connecting to the server.
1060: The command string extends to the end of the line, and is executed with
1.105 jmc 1061: the user's shell.
1.239 jmc 1062: Arguments to
1063: .Cm LocalCommand
1064: accept the tokens described in the
1065: .Sx TOKENS
1066: section.
1.123 djm 1067: .Pp
1068: The command is run synchronously and does not have access to the
1069: session of the
1070: .Xr ssh 1
1071: that spawned it.
1072: It should not be used for interactive commands.
1073: .Pp
1.65 reyk 1074: This directive is ignored unless
1075: .Cm PermitLocalCommand
1076: has been enabled.
1.1 stevesk 1077: .It Cm LocalForward
1.74 jmc 1078: Specifies that a TCP port on the local machine be forwarded over
1.1 stevesk 1079: the secure channel to the specified host and port from the remote machine.
1.49 jmc 1080: The first argument must be
1.43 djm 1081: .Sm off
1.49 jmc 1082: .Oo Ar bind_address : Oc Ar port
1.43 djm 1083: .Sm on
1.49 jmc 1084: and the second argument must be
1085: .Ar host : Ns Ar hostport .
1.138 djm 1086: IPv6 addresses can be specified by enclosing addresses in square brackets.
1.46 jmc 1087: Multiple forwardings may be specified, and additional forwardings can be
1.43 djm 1088: given on the command line.
1.1 stevesk 1089: Only the superuser can forward privileged ports.
1.43 djm 1090: By default, the local port is bound in accordance with the
1091: .Cm GatewayPorts
1092: setting.
1093: However, an explicit
1094: .Ar bind_address
1095: may be used to bind the connection to a specific address.
1096: The
1097: .Ar bind_address
1098: of
1.240 jmc 1099: .Cm localhost
1.46 jmc 1100: indicates that the listening port be bound for local use only, while an
1101: empty address or
1102: .Sq *
1.43 djm 1103: indicates that the port should be available from all interfaces.
1.243 ! dtucker 1104: .It Cm SyslogFacility
! 1105: Gives the facility code that is used when logging messages from
! 1106: .Xr ssh 1 .
! 1107: The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
! 1108: LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
! 1109: The default is USER.
1.1 stevesk 1110: .It Cm LogLevel
1111: Gives the verbosity level that is used when logging messages from
1.84 jmc 1112: .Xr ssh 1 .
1.1 stevesk 1113: The possible values are:
1.84 jmc 1114: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
1.7 jmc 1115: The default is INFO.
1116: DEBUG and DEBUG1 are equivalent.
1117: DEBUG2 and DEBUG3 each specify higher levels of verbose output.
1.1 stevesk 1118: .It Cm MACs
1119: Specifies the MAC (message authentication code) algorithms
1120: in order of preference.
1.226 jmc 1121: The MAC algorithm is used for data integrity protection.
1.1 stevesk 1122: Multiple algorithms must be comma-separated.
1.214 djm 1123: If the specified value begins with a
1124: .Sq +
1125: character, then the specified algorithms will be appended to the default set
1126: instead of replacing them.
1.241 djm 1127: If the specified value begins with a
1128: .Sq -
1129: character, then the specified algorithms (including wildcards) will be removed
1130: from the default set instead of replacing them.
1.214 djm 1131: .Pp
1.160 markus 1132: The algorithms that contain
1.240 jmc 1133: .Qq -etm
1.160 markus 1134: calculate the MAC after encryption (encrypt-then-mac).
1135: These are considered safer and their use recommended.
1.214 djm 1136: .Pp
1.84 jmc 1137: The default is:
1.101 jmc 1138: .Bd -literal -offset indent
1.160 markus 1139: umac-64-etm@openssh.com,umac-128-etm@openssh.com,
1140: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
1.224 djm 1141: hmac-sha1-etm@openssh.com,
1.186 naddy 1142: umac-64@openssh.com,umac-128@openssh.com,
1.224 djm 1143: hmac-sha2-256,hmac-sha2-512,hmac-sha1
1.101 jmc 1144: .Ed
1.198 djm 1145: .Pp
1.240 jmc 1146: The list of available MAC algorithms may also be obtained using
1147: .Qq ssh -Q mac .
1.1 stevesk 1148: .It Cm NoHostAuthenticationForLocalhost
1149: This option can be used if the home directory is shared across machines.
1150: In this case localhost will refer to a different machine on each of
1151: the machines and the user will get many warnings about changed host keys.
1152: However, this option disables host authentication for localhost.
1153: The argument to this keyword must be
1.240 jmc 1154: .Cm yes
1.1 stevesk 1155: or
1.242 jmc 1156: .Cm no
1.240 jmc 1157: (the default).
1.1 stevesk 1158: .It Cm NumberOfPasswordPrompts
1159: Specifies the number of password prompts before giving up.
1160: The argument to this keyword must be an integer.
1.84 jmc 1161: The default is 3.
1.1 stevesk 1162: .It Cm PasswordAuthentication
1163: Specifies whether to use password authentication.
1164: The argument to this keyword must be
1.240 jmc 1165: .Cm yes
1166: (the default)
1.1 stevesk 1167: or
1.240 jmc 1168: .Cm no .
1.65 reyk 1169: .It Cm PermitLocalCommand
1170: Allow local command execution via the
1171: .Ic LocalCommand
1172: option or using the
1.66 jmc 1173: .Ic !\& Ns Ar command
1.65 reyk 1174: escape sequence in
1175: .Xr ssh 1 .
1176: The argument must be
1.240 jmc 1177: .Cm yes
1.65 reyk 1178: or
1.240 jmc 1179: .Cm no
1180: (the default).
1.127 markus 1181: .It Cm PKCS11Provider
1182: Specifies which PKCS#11 provider to use.
1.144 jmc 1183: The argument to this keyword is the PKCS#11 shared library
1.127 markus 1184: .Xr ssh 1
1.128 markus 1185: should use to communicate with a PKCS#11 token providing the user's
1.127 markus 1186: private RSA key.
1.67 jmc 1187: .It Cm Port
1188: Specifies the port number to connect on the remote host.
1.84 jmc 1189: The default is 22.
1.1 stevesk 1190: .It Cm PreferredAuthentications
1.226 jmc 1191: Specifies the order in which the client should try authentication methods.
1.48 jmc 1192: This allows a client to prefer one method (e.g.\&
1.1 stevesk 1193: .Cm keyboard-interactive )
1.48 jmc 1194: over another method (e.g.\&
1.131 jmc 1195: .Cm password ) .
1196: The default is:
1197: .Bd -literal -offset indent
1198: gssapi-with-mic,hostbased,publickey,
1199: keyboard-interactive,password
1200: .Ed
1.1 stevesk 1201: .It Cm Protocol
1202: Specifies the protocol versions
1.84 jmc 1203: .Xr ssh 1
1.1 stevesk 1204: should support in order of preference.
1.240 jmc 1205: The possible values are 1 and 2.
1.1 stevesk 1206: Multiple versions must be comma-separated.
1.120 markus 1207: When this option is set to
1.240 jmc 1208: .Cm 2,1
1.120 markus 1209: .Nm ssh
1210: will try version 2 and fall back to version 1
1211: if version 2 is not available.
1.240 jmc 1212: The default is version 2.
1.225 djm 1213: Protocol 1 suffers from a number of cryptographic weaknesses and should
1214: not be used.
1215: It is only offered to support legacy devices.
1.1 stevesk 1216: .It Cm ProxyCommand
1217: Specifies the command to use to connect to the server.
1218: The command
1.190 djm 1219: string extends to the end of the line, and is executed
1220: using the user's shell
1221: .Ql exec
1222: directive to avoid a lingering shell process.
1223: .Pp
1.239 jmc 1224: Arguments to
1225: .Cm ProxyCommand
1226: accept the tokens described in the
1227: .Sx TOKENS
1228: section.
1.1 stevesk 1229: The command can be basically anything,
1230: and should read from its standard input and write to its standard output.
1231: It should eventually connect an
1232: .Xr sshd 8
1233: server running on some machine, or execute
1234: .Ic sshd -i
1235: somewhere.
1236: Host key management will be done using the
1237: HostName of the host being connected (defaulting to the name typed by
1238: the user).
1.7 jmc 1239: Setting the command to
1.240 jmc 1240: .Cm none
1.6 markus 1241: disables this option entirely.
1.1 stevesk 1242: Note that
1243: .Cm CheckHostIP
1244: is not available for connects with a proxy command.
1.52 djm 1245: .Pp
1246: This directive is useful in conjunction with
1247: .Xr nc 1
1248: and its proxy support.
1.53 jmc 1249: For example, the following directive would connect via an HTTP proxy at
1.52 djm 1250: 192.0.2.0:
1251: .Bd -literal -offset 3n
1252: ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
1253: .Ed
1.233 djm 1254: .It Cm ProxyJump
1255: Specifies one or more jump proxies as
1256: .Xo
1257: .Sm off
1.234 jmc 1258: .Op Ar user No @
1.233 djm 1259: .Ar host
1.234 jmc 1260: .Op : Ns Ar port
1.233 djm 1261: .Sm on
1262: .Xc .
1.235 djm 1263: Multiple proxies may be separated by comma characters and will be visited
1.236 djm 1264: sequentially.
1.233 djm 1265: Setting this option will cause
1266: .Xr ssh 1
1267: to connect to the target host by first making a
1268: .Xr ssh 1
1269: connection to the specified
1270: .Cm ProxyJump
1271: host and then establishing a
1.234 jmc 1272: TCP forwarding to the ultimate target from there.
1.233 djm 1273: .Pp
1274: Note that this option will compete with the
1275: .Cm ProxyCommand
1276: option - whichever is specified first will prevent later instances of the
1277: other from taking effect.
1.167 djm 1278: .It Cm ProxyUseFdpass
1.168 jmc 1279: Specifies that
1.167 djm 1280: .Cm ProxyCommand
1281: will pass a connected file descriptor back to
1.168 jmc 1282: .Xr ssh 1
1.167 djm 1283: instead of continuing to execute and pass data.
1284: The default is
1.240 jmc 1285: .Cm no .
1.213 markus 1286: .It Cm PubkeyAcceptedKeyTypes
1287: Specifies the key types that will be used for public key authentication
1288: as a comma-separated pattern list.
1.214 djm 1289: Alternately if the specified value begins with a
1290: .Sq +
1291: character, then the key types after it will be appended to the default
1292: instead of replacing it.
1.241 djm 1293: If the specified value begins with a
1294: .Sq -
1295: character, then the specified key types (including wildcards) will be removed
1296: from the default set instead of replacing them.
1.213 markus 1297: The default for this option is:
1298: .Bd -literal -offset 3n
1299: ecdsa-sha2-nistp256-cert-v01@openssh.com,
1300: ecdsa-sha2-nistp384-cert-v01@openssh.com,
1301: ecdsa-sha2-nistp521-cert-v01@openssh.com,
1302: ssh-ed25519-cert-v01@openssh.com,
1303: ssh-rsa-cert-v01@openssh.com,
1304: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1.227 djm 1305: ssh-ed25519,ssh-rsa
1.213 markus 1306: .Ed
1307: .Pp
1.240 jmc 1308: The list of available key types may also be obtained using
1309: .Qq ssh -Q key .
1.1 stevesk 1310: .It Cm PubkeyAuthentication
1311: Specifies whether to try public key authentication.
1312: The argument to this keyword must be
1.240 jmc 1313: .Cm yes
1314: (the default)
1.1 stevesk 1315: or
1.240 jmc 1316: .Cm no .
1.75 dtucker 1317: .It Cm RekeyLimit
1318: Specifies the maximum amount of data that may be transmitted before the
1.162 dtucker 1319: session key is renegotiated, optionally followed a maximum amount of
1320: time that may pass before the session key is renegotiated.
1321: The first argument is specified in bytes and may have a suffix of
1.76 jmc 1322: .Sq K ,
1323: .Sq M ,
1.75 dtucker 1324: or
1.76 jmc 1325: .Sq G
1.75 dtucker 1326: to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
1327: The default is between
1.84 jmc 1328: .Sq 1G
1.75 dtucker 1329: and
1.84 jmc 1330: .Sq 4G ,
1.75 dtucker 1331: depending on the cipher.
1.162 dtucker 1332: The optional second value is specified in seconds and may use any of the
1333: units documented in the
1.240 jmc 1334: .Sx TIME FORMATS
1335: section of
1.162 dtucker 1336: .Xr sshd_config 5 .
1337: The default value for
1338: .Cm RekeyLimit
1339: is
1.240 jmc 1340: .Cm default none ,
1.162 dtucker 1341: which means that rekeying is performed after the cipher's default amount
1342: of data has been sent or received and no time based rekeying is done.
1.1 stevesk 1343: .It Cm RemoteForward
1.74 jmc 1344: Specifies that a TCP port on the remote machine be forwarded over
1.1 stevesk 1345: the secure channel to the specified host and port from the local machine.
1.49 jmc 1346: The first argument must be
1.43 djm 1347: .Sm off
1.49 jmc 1348: .Oo Ar bind_address : Oc Ar port
1.43 djm 1349: .Sm on
1.49 jmc 1350: and the second argument must be
1351: .Ar host : Ns Ar hostport .
1.138 djm 1352: IPv6 addresses can be specified by enclosing addresses in square brackets.
1.1 stevesk 1353: Multiple forwardings may be specified, and additional
1354: forwardings can be given on the command line.
1.113 stevesk 1355: Privileged ports can be forwarded only when
1356: logging in as root on the remote machine.
1.118 jmc 1357: .Pp
1.117 djm 1358: If the
1359: .Ar port
1.240 jmc 1360: argument is 0,
1.117 djm 1361: the listen port will be dynamically allocated on the server and reported
1362: to the client at run time.
1.43 djm 1363: .Pp
1364: If the
1365: .Ar bind_address
1366: is not specified, the default is to only bind to loopback addresses.
1367: If the
1368: .Ar bind_address
1369: is
1370: .Ql *
1371: or an empty string, then the forwarding is requested to listen on all
1372: interfaces.
1373: Specifying a remote
1374: .Ar bind_address
1.46 jmc 1375: will only succeed if the server's
1376: .Cm GatewayPorts
1.43 djm 1377: option is enabled (see
1.46 jmc 1378: .Xr sshd_config 5 ) .
1.149 djm 1379: .It Cm RequestTTY
1380: Specifies whether to request a pseudo-tty for the session.
1381: The argument may be one of:
1.240 jmc 1382: .Cm no
1.149 djm 1383: (never request a TTY),
1.240 jmc 1384: .Cm yes
1.149 djm 1385: (always request a TTY when standard input is a TTY),
1.240 jmc 1386: .Cm force
1.149 djm 1387: (always request a TTY) or
1.240 jmc 1388: .Cm auto
1.149 djm 1389: (request a TTY when opening a login session).
1390: This option mirrors the
1391: .Fl t
1392: and
1393: .Fl T
1394: flags for
1395: .Xr ssh 1 .
1.196 djm 1396: .It Cm RevokedHostKeys
1397: Specifies revoked host public keys.
1398: Keys listed in this file will be refused for host authentication.
1399: Note that if this file does not exist or is not readable,
1400: then host authentication will be refused for all hosts.
1401: Keys may be specified as a text file, listing one public key per line, or as
1402: an OpenSSH Key Revocation List (KRL) as generated by
1403: .Xr ssh-keygen 1 .
1404: For more information on KRLs, see the KEY REVOCATION LISTS section in
1405: .Xr ssh-keygen 1 .
1.1 stevesk 1406: .It Cm RhostsRSAAuthentication
1407: Specifies whether to try rhosts based authentication with RSA host
1408: authentication.
1409: The argument must be
1.240 jmc 1410: .Cm yes
1.1 stevesk 1411: or
1.240 jmc 1412: .Cm no
1413: (the default).
1.1 stevesk 1414: This option applies to protocol version 1 only and requires
1.84 jmc 1415: .Xr ssh 1
1.1 stevesk 1416: to be setuid root.
1417: .It Cm RSAAuthentication
1418: Specifies whether to try RSA authentication.
1419: The argument to this keyword must be
1.240 jmc 1420: .Cm yes
1421: (the default)
1.1 stevesk 1422: or
1.240 jmc 1423: .Cm no .
1.1 stevesk 1424: RSA authentication will only be
1425: attempted if the identity file exists, or an authentication agent is
1426: running.
1427: Note that this option applies to protocol version 1 only.
1.32 djm 1428: .It Cm SendEnv
1429: Specifies what variables from the local
1430: .Xr environ 7
1431: should be sent to the server.
1.84 jmc 1432: The server must also support it, and the server must be configured to
1.33 djm 1433: accept these environment variables.
1.207 dtucker 1434: Note that the
1435: .Ev TERM
1.208 jmc 1436: environment variable is always sent whenever a
1.207 dtucker 1437: pseudo-terminal is requested as it is required by the protocol.
1.32 djm 1438: Refer to
1439: .Cm AcceptEnv
1440: in
1441: .Xr sshd_config 5
1442: for how to configure the server.
1.80 jmc 1443: Variables are specified by name, which may contain wildcard characters.
1.33 djm 1444: Multiple environment variables may be separated by whitespace or spread
1.32 djm 1445: across multiple
1446: .Cm SendEnv
1447: directives.
1448: The default is not to send any environment variables.
1.81 jmc 1449: .Pp
1450: See
1451: .Sx PATTERNS
1452: for more information on patterns.
1.28 markus 1453: .It Cm ServerAliveCountMax
1.73 jmc 1454: Sets the number of server alive messages (see below) which may be
1.28 markus 1455: sent without
1.84 jmc 1456: .Xr ssh 1
1.28 markus 1457: receiving any messages back from the server.
1458: If this threshold is reached while server alive messages are being sent,
1.84 jmc 1459: ssh will disconnect from the server, terminating the session.
1.28 markus 1460: It is important to note that the use of server alive messages is very
1461: different from
1462: .Cm TCPKeepAlive
1463: (below).
1464: The server alive messages are sent through the encrypted channel
1465: and therefore will not be spoofable.
1466: The TCP keepalive option enabled by
1467: .Cm TCPKeepAlive
1468: is spoofable.
1469: The server alive mechanism is valuable when the client or
1470: server depend on knowing when a connection has become inactive.
1471: .Pp
1472: The default value is 3.
1473: If, for example,
1474: .Cm ServerAliveInterval
1.84 jmc 1475: (see below) is set to 15 and
1.28 markus 1476: .Cm ServerAliveCountMax
1.84 jmc 1477: is left at the default, if the server becomes unresponsive,
1478: ssh will disconnect after approximately 45 seconds.
1.67 jmc 1479: .It Cm ServerAliveInterval
1480: Sets a timeout interval in seconds after which if no data has been received
1481: from the server,
1.84 jmc 1482: .Xr ssh 1
1.67 jmc 1483: will send a message through the encrypted
1484: channel to request a response from the server.
1485: The default
1486: is 0, indicating that these messages will not be sent to the server.
1.191 millert 1487: .It Cm StreamLocalBindMask
1488: Sets the octal file creation mode mask
1489: .Pq umask
1490: used when creating a Unix-domain socket file for local or remote
1491: port forwarding.
1492: This option is only used for port forwarding to a Unix-domain socket file.
1493: .Pp
1494: The default value is 0177, which creates a Unix-domain socket file that is
1495: readable and writable only by the owner.
1496: Note that not all operating systems honor the file mode on Unix-domain
1497: socket files.
1498: .It Cm StreamLocalBindUnlink
1499: Specifies whether to remove an existing Unix-domain socket file for local
1500: or remote port forwarding before creating a new one.
1501: If the socket file already exists and
1502: .Cm StreamLocalBindUnlink
1503: is not enabled,
1504: .Nm ssh
1505: will be unable to forward the port to the Unix-domain socket file.
1506: This option is only used for port forwarding to a Unix-domain socket file.
1507: .Pp
1508: The argument must be
1.240 jmc 1509: .Cm yes
1.191 millert 1510: or
1.240 jmc 1511: .Cm no
1512: (the default).
1.1 stevesk 1513: .It Cm StrictHostKeyChecking
1514: If this flag is set to
1.240 jmc 1515: .Cm yes ,
1.84 jmc 1516: .Xr ssh 1
1.1 stevesk 1517: will never automatically add host keys to the
1.50 djm 1518: .Pa ~/.ssh/known_hosts
1.1 stevesk 1519: file, and refuses to connect to hosts whose host key has changed.
1520: This provides maximum protection against trojan horse attacks,
1.84 jmc 1521: though it can be annoying when the
1.1 stevesk 1522: .Pa /etc/ssh/ssh_known_hosts
1.84 jmc 1523: file is poorly maintained or when connections to new hosts are
1.1 stevesk 1524: frequently made.
1525: This option forces the user to manually
1526: add all new hosts.
1527: If this flag is set to
1.240 jmc 1528: .Cm no ,
1.84 jmc 1529: ssh will automatically add new host keys to the
1.1 stevesk 1530: user known hosts files.
1531: If this flag is set to
1.240 jmc 1532: .Cm ask
1533: (the default),
1.1 stevesk 1534: new host keys
1535: will be added to the user known host files only after the user
1536: has confirmed that is what they really want to do, and
1.84 jmc 1537: ssh will refuse to connect to hosts whose host key has changed.
1.1 stevesk 1538: The host keys of
1539: known hosts will be verified automatically in all cases.
1.26 markus 1540: .It Cm TCPKeepAlive
1541: Specifies whether the system should send TCP keepalive messages to the
1542: other side.
1543: If they are sent, death of the connection or crash of one
1544: of the machines will be properly noticed.
1545: However, this means that
1546: connections will die if the route is down temporarily, and some people
1547: find it annoying.
1548: .Pp
1549: The default is
1.240 jmc 1550: .Cm yes
1.26 markus 1551: (to send TCP keepalive messages), and the client will notice
1552: if the network goes down or the remote host dies.
1553: This is important in scripts, and many users want it too.
1554: .Pp
1555: To disable TCP keepalive messages, the value should be set to
1.240 jmc 1556: .Cm no .
1.65 reyk 1557: .It Cm Tunnel
1.95 stevesk 1558: Request
1.65 reyk 1559: .Xr tun 4
1.69 jmc 1560: device forwarding between the client and the server.
1.65 reyk 1561: The argument must be
1.240 jmc 1562: .Cm yes ,
1563: .Cm point-to-point
1.95 stevesk 1564: (layer 3),
1.240 jmc 1565: .Cm ethernet
1.95 stevesk 1566: (layer 2),
1.65 reyk 1567: or
1.240 jmc 1568: .Cm no
1569: (the default).
1.95 stevesk 1570: Specifying
1.240 jmc 1571: .Cm yes
1.95 stevesk 1572: requests the default tunnel mode, which is
1.240 jmc 1573: .Cm point-to-point .
1.65 reyk 1574: .It Cm TunnelDevice
1.95 stevesk 1575: Specifies the
1.65 reyk 1576: .Xr tun 4
1.95 stevesk 1577: devices to open on the client
1578: .Pq Ar local_tun
1579: and the server
1580: .Pq Ar remote_tun .
1581: .Pp
1582: The argument must be
1583: .Sm off
1584: .Ar local_tun Op : Ar remote_tun .
1585: .Sm on
1586: The devices may be specified by numerical ID or the keyword
1.240 jmc 1587: .Cm any ,
1.95 stevesk 1588: which uses the next available tunnel device.
1589: If
1590: .Ar remote_tun
1591: is not specified, it defaults to
1.240 jmc 1592: .Cm any .
1.95 stevesk 1593: The default is
1.240 jmc 1594: .Cm any:any .
1.201 djm 1595: .It Cm UpdateHostKeys
1.200 djm 1596: Specifies whether
1597: .Xr ssh 1
1598: should accept notifications of additional hostkeys from the server sent
1599: after authentication has completed and add them to
1600: .Cm UserKnownHostsFile .
1601: The argument must be
1.240 jmc 1602: .Cm yes ,
1603: .Cm no
1.204 djm 1604: (the default) or
1.240 jmc 1605: .Cm ask .
1.200 djm 1606: Enabling this option allows learning alternate hostkeys for a server
1.201 djm 1607: and supports graceful key rotation by allowing a server to send replacement
1608: public keys before old ones are removed.
1.200 djm 1609: Additional hostkeys are only accepted if the key used to authenticate the
1.220 sobrado 1610: host was already trusted or explicitly accepted by the user.
1.204 djm 1611: If
1612: .Cm UpdateHostKeys
1613: is set to
1.240 jmc 1614: .Cm ask ,
1.204 djm 1615: then the user is asked to confirm the modifications to the known_hosts file.
1.205 djm 1616: Confirmation is currently incompatible with
1617: .Cm ControlPersist ,
1618: and will be disabled if it is enabled.
1.200 djm 1619: .Pp
1620: Presently, only
1621: .Xr sshd 8
1622: from OpenSSH 6.8 and greater support the
1.240 jmc 1623: .Qq hostkeys@openssh.com
1.200 djm 1624: protocol extension used to inform the client of all the server's hostkeys.
1.72 jmc 1625: .It Cm UsePrivilegedPort
1626: Specifies whether to use a privileged port for outgoing connections.
1627: The argument must be
1.240 jmc 1628: .Cm yes
1.72 jmc 1629: or
1.240 jmc 1630: .Cm no
1631: (the default).
1.72 jmc 1632: If set to
1.240 jmc 1633: .Cm yes ,
1.84 jmc 1634: .Xr ssh 1
1.72 jmc 1635: must be setuid root.
1636: Note that this option must be set to
1.240 jmc 1637: .Cm yes
1.72 jmc 1638: for
1639: .Cm RhostsRSAAuthentication
1640: with older servers.
1.1 stevesk 1641: .It Cm User
1642: Specifies the user to log in as.
1643: This can be useful when a different user name is used on different machines.
1644: This saves the trouble of
1645: having to remember to give the user name on the command line.
1646: .It Cm UserKnownHostsFile
1.151 djm 1647: Specifies one or more files to use for the user
1648: host key database, separated by whitespace.
1649: The default is
1650: .Pa ~/.ssh/known_hosts ,
1651: .Pa ~/.ssh/known_hosts2 .
1.8 jakob 1652: .It Cm VerifyHostKeyDNS
1653: Specifies whether to verify the remote key using DNS and SSHFP resource
1654: records.
1.24 jakob 1655: If this option is set to
1.240 jmc 1656: .Cm yes ,
1.25 jmc 1657: the client will implicitly trust keys that match a secure fingerprint
1.24 jakob 1658: from DNS.
1659: Insecure fingerprints will be handled as if this option was set to
1.240 jmc 1660: .Cm ask .
1.24 jakob 1661: If this option is set to
1.240 jmc 1662: .Cm ask ,
1.24 jakob 1663: information on fingerprint match will be displayed, but the user will still
1664: need to confirm new host keys according to the
1665: .Cm StrictHostKeyChecking
1666: option.
1.8 jakob 1667: The default is
1.240 jmc 1668: .Cm no .
1.84 jmc 1669: .Pp
1.240 jmc 1670: See also
1671: .Sx VERIFYING HOST KEYS
1672: in
1.84 jmc 1673: .Xr ssh 1 .
1.111 grunk 1674: .It Cm VisualHostKey
1675: If this flag is set to
1.240 jmc 1676: .Cm yes ,
1.111 grunk 1677: an ASCII art representation of the remote host key fingerprint is
1.197 djm 1678: printed in addition to the fingerprint string at login and
1.114 stevesk 1679: for unknown host keys.
1.111 grunk 1680: If this flag is set to
1.240 jmc 1681: .Cm no
1682: (the default),
1.114 stevesk 1683: no fingerprint strings are printed at login and
1.197 djm 1684: only the fingerprint string will be printed for unknown host keys.
1.1 stevesk 1685: .It Cm XAuthLocation
1.5 stevesk 1686: Specifies the full pathname of the
1.1 stevesk 1687: .Xr xauth 1
1688: program.
1689: The default is
1690: .Pa /usr/X11R6/bin/xauth .
1691: .El
1.86 jmc 1692: .Sh PATTERNS
1693: A
1694: .Em pattern
1695: consists of zero or more non-whitespace characters,
1696: .Sq *
1697: (a wildcard that matches zero or more characters),
1698: or
1699: .Sq ?\&
1700: (a wildcard that matches exactly one character).
1701: For example, to specify a set of declarations for any host in the
1.240 jmc 1702: .Qq .co.uk
1.86 jmc 1703: set of domains,
1704: the following pattern could be used:
1705: .Pp
1706: .Dl Host *.co.uk
1707: .Pp
1708: The following pattern
1709: would match any host in the 192.168.0.[0-9] network range:
1710: .Pp
1711: .Dl Host 192.168.0.?
1712: .Pp
1713: A
1714: .Em pattern-list
1715: is a comma-separated list of patterns.
1716: Patterns within pattern-lists may be negated
1717: by preceding them with an exclamation mark
1718: .Pq Sq !\& .
1719: For example,
1.174 djm 1720: to allow a key to be used from anywhere within an organization
1.86 jmc 1721: except from the
1.240 jmc 1722: .Qq dialup
1.86 jmc 1723: pool,
1724: the following entry (in authorized_keys) could be used:
1725: .Pp
1726: .Dl from=\&"!*.dialup.example.com,*.example.com\&"
1.239 jmc 1727: .Sh TOKENS
1728: Arguments to some keywords can make use of tokens,
1729: which are expanded at runtime:
1730: .Pp
1731: .Bl -tag -width XXXX -offset indent -compact
1732: .It %%
1733: A literal
1734: .Sq % .
1735: .It \&%C
1736: Shorthand for %l%h%p%r.
1737: .It %d
1738: Local user's home directory.
1739: .It %h
1740: The remote hostname.
1741: .It %i
1742: The local user ID.
1743: .It %L
1744: The local hostname.
1745: .It %l
1746: The local hostname, including the domain name.
1747: .It %n
1748: The original remote hostname, as given on the command line.
1749: .It %p
1750: The remote port.
1751: .It %r
1752: The remote username.
1753: .It %u
1754: The local username.
1755: .El
1756: .Pp
1757: .Cm Match exec
1758: accepts the tokens %%, %h, %L, %l, %n, %p, %r, and %u.
1759: .Pp
1760: .Cm CertificateFile
1761: accepts the tokens %%, %d, %h, %l, %r, and %u.
1762: .Pp
1763: .Cm ControlPath
1764: accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u.
1765: .Pp
1766: .Cm HostName
1767: accepts the tokens %% and %h.
1768: .Pp
1769: .Cm IdentityAgent
1770: and
1771: .Cm IdentityFile
1772: accept the tokens %%, %d, %h, %l, %r, and %u.
1773: .Pp
1774: .Cm LocalCommand
1775: accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u.
1776: .Pp
1777: .Cm ProxyCommand
1778: accepts the tokens %%, %h, %p, and %r.
1.1 stevesk 1779: .Sh FILES
1780: .Bl -tag -width Ds
1.50 djm 1781: .It Pa ~/.ssh/config
1.1 stevesk 1782: This is the per-user configuration file.
1783: The format of this file is described above.
1.84 jmc 1784: This file is used by the SSH client.
1.30 djm 1785: Because of the potential for abuse, this file must have strict permissions:
1786: read/write for the user, and not accessible by others.
1.1 stevesk 1787: .It Pa /etc/ssh/ssh_config
1788: Systemwide configuration file.
1789: This file provides defaults for those
1790: values that are not specified in the user's configuration file, and
1791: for those users who do not have a configuration file.
1792: This file must be world-readable.
1793: .El
1.13 jmc 1794: .Sh SEE ALSO
1795: .Xr ssh 1
1.1 stevesk 1796: .Sh AUTHORS
1.240 jmc 1797: .An -nosplit
1.1 stevesk 1798: OpenSSH is a derivative of the original and free
1.240 jmc 1799: ssh 1.2.12 release by
1800: .An Tatu Ylonen .
1801: .An Aaron Campbell , Bob Beck , Markus Friedl ,
1802: .An Niels Provos , Theo de Raadt
1803: and
1804: .An Dug Song
1.1 stevesk 1805: removed many bugs, re-added newer features and
1806: created OpenSSH.
1.240 jmc 1807: .An Markus Friedl
1808: contributed the support for SSH protocol versions 1.5 and 2.0.