version 1.217, 2006/02/12 10:52:41 |
version 1.218, 2006/02/12 17:57:19 |
|
|
The following option specifications are supported (note |
The following option specifications are supported (note |
that option keywords are case-insensitive): |
that option keywords are case-insensitive): |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Cm from="pattern-list" |
|
Specifies that in addition to public key authentication, the canonical name |
|
of the remote host must be present in the comma-separated list of |
|
patterns |
|
.Pf ( Ql \&* |
|
and |
|
.Ql \&? |
|
serve as wildcards). |
|
The list may also contain |
|
patterns negated by prefixing them with |
|
.Ql \&! ; |
|
if the canonical host name matches a negated pattern, the key is not accepted. |
|
The purpose |
|
of this option is to optionally increase security: public key authentication |
|
by itself does not trust the network or name servers or anything (but |
|
the key); however, if somebody somehow steals the key, the key |
|
permits an intruder to log in from anywhere in the world. |
|
This additional option makes using a stolen key more difficult (name |
|
servers and/or routers would have to be compromised in addition to |
|
just the key). |
|
.It Cm command="command" |
.It Cm command="command" |
Specifies that the command is executed whenever this key is used for |
Specifies that the command is executed whenever this key is used for |
authentication. |
authentication. |
|
|
This option is automatically disabled if |
This option is automatically disabled if |
.Cm UseLogin |
.Cm UseLogin |
is enabled. |
is enabled. |
|
.It Cm from="pattern-list" |
|
Specifies that in addition to public key authentication, the canonical name |
|
of the remote host must be present in the comma-separated list of |
|
patterns |
|
.Pf ( Ql \&* |
|
and |
|
.Ql \&? |
|
serve as wildcards). |
|
The list may also contain |
|
patterns negated by prefixing them with |
|
.Ql \&! ; |
|
if the canonical host name matches a negated pattern, the key is not accepted. |
|
The purpose |
|
of this option is to optionally increase security: public key authentication |
|
by itself does not trust the network or name servers or anything (but |
|
the key); however, if somebody somehow steals the key, the key |
|
permits an intruder to log in from anywhere in the world. |
|
This additional option makes using a stolen key more difficult (name |
|
servers and/or routers would have to be compromised in addition to |
|
just the key). |
|
.It Cm no-agent-forwarding |
|
Forbids authentication agent forwarding when this key is used for |
|
authentication. |
.It Cm no-port-forwarding |
.It Cm no-port-forwarding |
Forbids TCP forwarding when this key is used for authentication. |
Forbids TCP forwarding when this key is used for authentication. |
Any port forward requests by the client will return an error. |
Any port forward requests by the client will return an error. |
This might be used, e.g., in connection with the |
This might be used, e.g., in connection with the |
.Cm command |
.Cm command |
option. |
option. |
|
.It Cm no-pty |
|
Prevents tty allocation (a request to allocate a pty will fail). |
.It Cm no-X11-forwarding |
.It Cm no-X11-forwarding |
Forbids X11 forwarding when this key is used for authentication. |
Forbids X11 forwarding when this key is used for authentication. |
Any X11 forward requests by the client will return an error. |
Any X11 forward requests by the client will return an error. |
.It Cm no-agent-forwarding |
|
Forbids authentication agent forwarding when this key is used for |
|
authentication. |
|
.It Cm no-pty |
|
Prevents tty allocation (a request to allocate a pty will fail). |
|
.It Cm permitopen="host:port" |
.It Cm permitopen="host:port" |
Limit local |
Limit local |
.Li ``ssh -L'' |
.Li ``ssh -L'' |