ssh_config.5 (323129) | ssh_config.5 (323134) |
---|---|
1.\" 2.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" All rights reserved 5.\" 6.\" As far as I am concerned, the code I have written for this software 7.\" can be used freely for any purpose. Any derived versions of this 8.\" software must be clearly marked as such, and if the derived work is --- 19 unchanged lines hidden (view full) --- 28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" | 1.\" 2.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" All rights reserved 5.\" 6.\" As far as I am concerned, the code I have written for this software 7.\" can be used freely for any purpose. Any derived versions of this 8.\" software must be clearly marked as such, and if the derived work is --- 19 unchanged lines hidden (view full) --- 28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" |
36.\" $OpenBSD: ssh_config.5,v 1.236 2016/07/22 07:00:46 djm Exp $ 37.\" $FreeBSD: stable/11/crypto/openssh/ssh_config.5 323129 2017-09-02 14:25:20Z des $ 38.Dd $Mdocdate: July 22 2016 $ | 36.\" $OpenBSD: ssh_config.5,v 1.240 2016/10/15 19:56:25 jmc Exp $ 37.\" $FreeBSD: stable/11/crypto/openssh/ssh_config.5 323134 2017-09-02 21:58:42Z des $ 38.Dd $Mdocdate: October 15 2016 $ |
39.Dt SSH_CONFIG 5 40.Os 41.Sh NAME 42.Nm ssh_config 43.Nd OpenSSH SSH client configuration files 44.Sh SYNOPSIS 45.Nm ~/.ssh/config 46.Nm /etc/ssh/ssh_config --- 11 unchanged lines hidden (view full) --- 58.It 59system-wide configuration file 60.Pq Pa /etc/ssh/ssh_config 61.El 62.Pp 63For each parameter, the first obtained value 64will be used. 65The configuration files contain sections separated by | 39.Dt SSH_CONFIG 5 40.Os 41.Sh NAME 42.Nm ssh_config 43.Nd OpenSSH SSH client configuration files 44.Sh SYNOPSIS 45.Nm ~/.ssh/config 46.Nm /etc/ssh/ssh_config --- 11 unchanged lines hidden (view full) --- 58.It 59system-wide configuration file 60.Pq Pa /etc/ssh/ssh_config 61.El 62.Pp 63For each parameter, the first obtained value 64will be used. 65The configuration files contain sections separated by |
66.Dq Host | 66.Cm Host |
67specifications, and that section is only applied for hosts that 68match one of the patterns given in the specification. 69The matched host name is usually the one given on the command line 70(see the 71.Cm CanonicalizeHostname | 67specifications, and that section is only applied for hosts that 68match one of the patterns given in the specification. 69The matched host name is usually the one given on the command line 70(see the 71.Cm CanonicalizeHostname |
72option for exceptions.) | 72option for exceptions). |
73.Pp 74Since the first obtained value for each parameter is used, more 75host-specific declarations should be given near the beginning of the 76file, and general defaults at the end. 77.Pp | 73.Pp 74Since the first obtained value for each parameter is used, more 75host-specific declarations should be given near the beginning of the 76file, and general defaults at the end. 77.Pp |
78The configuration file has the following format: 79.Pp 80Empty lines and lines starting with | 78The file contains keyword-argument pairs, one per line. 79Lines starting with |
81.Ql # | 80.Ql # |
82are comments. 83Otherwise a line is of the format 84.Dq keyword arguments . | 81and empty lines are interpreted as comments. 82Arguments may optionally be enclosed in double quotes 83.Pq \&" 84in order to represent arguments containing spaces. |
85Configuration options may be separated by whitespace or 86optional whitespace and exactly one 87.Ql = ; 88the latter format is useful to avoid the need to quote whitespace 89when specifying configuration options using the 90.Nm ssh , 91.Nm scp , 92and 93.Nm sftp 94.Fl o 95option. | 85Configuration options may be separated by whitespace or 86optional whitespace and exactly one 87.Ql = ; 88the latter format is useful to avoid the need to quote whitespace 89when specifying configuration options using the 90.Nm ssh , 91.Nm scp , 92and 93.Nm sftp 94.Fl o 95option. |
96Arguments may optionally be enclosed in double quotes 97.Pq \&" 98in order to represent arguments containing spaces. | |
99.Pp 100The possible 101keywords and their meanings are as follows (note that 102keywords are case-insensitive and arguments are case-sensitive): 103.Bl -tag -width Ds 104.It Cm Host 105Restricts the following declarations (up to the next 106.Cm Host --- 6 unchanged lines hidden (view full) --- 113.Ql * 114as a pattern can be used to provide global 115defaults for all hosts. 116The host is usually the 117.Ar hostname 118argument given on the command line 119(see the 120.Cm CanonicalizeHostname | 96.Pp 97The possible 98keywords and their meanings are as follows (note that 99keywords are case-insensitive and arguments are case-sensitive): 100.Bl -tag -width Ds 101.It Cm Host 102Restricts the following declarations (up to the next 103.Cm Host --- 6 unchanged lines hidden (view full) --- 110.Ql * 111as a pattern can be used to provide global 112defaults for all hosts. 113The host is usually the 114.Ar hostname 115argument given on the command line 116(see the 117.Cm CanonicalizeHostname |
121option for exceptions.) | 118keyword for exceptions). |
122.Pp 123A pattern entry may be negated by prefixing it with an exclamation mark 124.Pq Sq !\& . 125If a negated entry is matched, then the 126.Cm Host 127entry is ignored, regardless of whether any other patterns on the line 128match. 129Negated matches are therefore useful to provide exceptions for wildcard --- 43 unchanged lines hidden (view full) --- 173option.) 174This may be useful to specify conditions that work with canonical host 175names only. 176The 177.Cm exec 178keyword executes the specified command under the user's shell. 179If the command returns a zero exit status then the condition is considered true. 180Commands containing whitespace characters must be quoted. | 119.Pp 120A pattern entry may be negated by prefixing it with an exclamation mark 121.Pq Sq !\& . 122If a negated entry is matched, then the 123.Cm Host 124entry is ignored, regardless of whether any other patterns on the line 125match. 126Negated matches are therefore useful to provide exceptions for wildcard --- 43 unchanged lines hidden (view full) --- 170option.) 171This may be useful to specify conditions that work with canonical host 172names only. 173The 174.Cm exec 175keyword executes the specified command under the user's shell. 176If the command returns a zero exit status then the condition is considered true. 177Commands containing whitespace characters must be quoted. |
181The following character sequences in the command will be expanded prior to 182execution: 183.Ql %L 184will be substituted by the first component of the local host name, 185.Ql %l 186will be substituted by the local host name (including any domain name), 187.Ql %h 188will be substituted by the target host name, 189.Ql %n 190will be substituted by the original target host name 191specified on the command-line, 192.Ql %p 193the destination port, 194.Ql %r 195by the remote login username, and 196.Ql %u 197by the username of the user running 198.Xr ssh 1 . | 178Arguments to 179.Cm exec 180accept the tokens described in the 181.Sx TOKENS 182section. |
199.Pp 200The other keywords' criteria must be single entries or comma-separated 201lists and may use the wildcard and negation operators described in the 202.Sx PATTERNS 203section. 204The criteria for the 205.Cm host 206keyword are matched against the target hostname, after any substitution --- 14 unchanged lines hidden (view full) --- 221.Xr ssh 1 222(this keyword may be useful in system-wide 223.Nm 224files). 225.It Cm AddKeysToAgent 226Specifies whether keys should be automatically added to a running 227.Xr ssh-agent 1 . 228If this option is set to | 183.Pp 184The other keywords' criteria must be single entries or comma-separated 185lists and may use the wildcard and negation operators described in the 186.Sx PATTERNS 187section. 188The criteria for the 189.Cm host 190keyword are matched against the target hostname, after any substitution --- 14 unchanged lines hidden (view full) --- 205.Xr ssh 1 206(this keyword may be useful in system-wide 207.Nm 208files). 209.It Cm AddKeysToAgent 210Specifies whether keys should be automatically added to a running 211.Xr ssh-agent 1 . 212If this option is set to |
229.Dq yes | 213.Cm yes |
230and a key is loaded from a file, the key and its passphrase are added to 231the agent with the default lifetime, as if by 232.Xr ssh-add 1 . 233If this option is set to | 214and a key is loaded from a file, the key and its passphrase are added to 215the agent with the default lifetime, as if by 216.Xr ssh-add 1 . 217If this option is set to |
234.Dq ask , 235.Nm ssh | 218.Cm ask , 219.Xr ssh 1 |
236will require confirmation using the 237.Ev SSH_ASKPASS 238program before adding a key (see 239.Xr ssh-add 1 240for details). 241If this option is set to | 220will require confirmation using the 221.Ev SSH_ASKPASS 222program before adding a key (see 223.Xr ssh-add 1 224for details). 225If this option is set to |
242.Dq confirm , | 226.Cm confirm , |
243each use of the key must be confirmed, as if the 244.Fl c 245option was specified to 246.Xr ssh-add 1 . 247If this option is set to | 227each use of the key must be confirmed, as if the 228.Fl c 229option was specified to 230.Xr ssh-add 1 . 231If this option is set to |
248.Dq no , | 232.Cm no , |
249no keys are added to the agent. 250The argument must be | 233no keys are added to the agent. 234The argument must be |
251.Dq yes , 252.Dq confirm , 253.Dq ask , | 235.Cm yes , 236.Cm confirm , 237.Cm ask , |
254or | 238or |
255.Dq no . 256The default is 257.Dq no . | 239.Cm no 240(the default). |
258.It Cm AddressFamily 259Specifies which address family to use when connecting. 260Valid arguments are | 241.It Cm AddressFamily 242Specifies which address family to use when connecting. 243Valid arguments are |
261.Dq any , 262.Dq inet | 244.Cm any 245(the default), 246.Cm inet |
263(use IPv4 only), or | 247(use IPv4 only), or |
264.Dq inet6 | 248.Cm inet6 |
265(use IPv6 only). | 249(use IPv6 only). |
266The default is 267.Dq any . | |
268.It Cm BatchMode 269If set to | 250.It Cm BatchMode 251If set to |
270.Dq yes , | 252.Cm yes , |
271passphrase/password querying will be disabled. 272This option is useful in scripts and other batch jobs where no user 273is present to supply the password. 274The argument must be | 253passphrase/password querying will be disabled. 254This option is useful in scripts and other batch jobs where no user 255is present to supply the password. 256The argument must be |
275.Dq yes | 257.Cm yes |
276or | 258or |
277.Dq no . 278The default is 279.Dq no . | 259.Cm no 260(the default). |
280.It Cm BindAddress 281Use the specified address on the local machine as the source address of 282the connection. 283Only useful on systems with more than one address. 284Note that this option does not work if 285.Cm UsePrivilegedPort 286is set to | 261.It Cm BindAddress 262Use the specified address on the local machine as the source address of 263the connection. 264Only useful on systems with more than one address. 265Note that this option does not work if 266.Cm UsePrivilegedPort 267is set to |
287.Dq yes . | 268.Cm yes . |
288.It Cm CanonicalDomains 289When 290.Cm CanonicalizeHostname 291is enabled, this option specifies the list of domain suffixes in which to 292search for the specified destination host. 293.It Cm CanonicalizeFallbackLocal 294Specifies whether to fail with an error when hostname canonicalization fails. 295The default, | 269.It Cm CanonicalDomains 270When 271.Cm CanonicalizeHostname 272is enabled, this option specifies the list of domain suffixes in which to 273search for the specified destination host. 274.It Cm CanonicalizeFallbackLocal 275Specifies whether to fail with an error when hostname canonicalization fails. 276The default, |
296.Dq yes , | 277.Cm yes , |
297will attempt to look up the unqualified hostname using the system resolver's 298search rules. 299A value of | 278will attempt to look up the unqualified hostname using the system resolver's 279search rules. 280A value of |
300.Dq no | 281.Cm no |
301will cause 302.Xr ssh 1 303to fail instantly if 304.Cm CanonicalizeHostname 305is enabled and the target hostname cannot be found in any of the domains 306specified by 307.Cm CanonicalDomains . 308.It Cm CanonicalizeHostname 309Controls whether explicit hostname canonicalization is performed. 310The default, | 282will cause 283.Xr ssh 1 284to fail instantly if 285.Cm CanonicalizeHostname 286is enabled and the target hostname cannot be found in any of the domains 287specified by 288.Cm CanonicalDomains . 289.It Cm CanonicalizeHostname 290Controls whether explicit hostname canonicalization is performed. 291The default, |
311.Dq no , | 292.Cm no , |
312is not to perform any name rewriting and let the system resolver handle all 313hostname lookups. 314If set to | 293is not to perform any name rewriting and let the system resolver handle all 294hostname lookups. 295If set to |
315.Dq yes | 296.Cm yes |
316then, for connections that do not use a 317.Cm ProxyCommand , 318.Xr ssh 1 319will attempt to canonicalize the hostname specified on the command line 320using the 321.Cm CanonicalDomains 322suffixes and 323.Cm CanonicalizePermittedCNAMEs 324rules. 325If 326.Cm CanonicalizeHostname 327is set to | 297then, for connections that do not use a 298.Cm ProxyCommand , 299.Xr ssh 1 300will attempt to canonicalize the hostname specified on the command line 301using the 302.Cm CanonicalDomains 303suffixes and 304.Cm CanonicalizePermittedCNAMEs 305rules. 306If 307.Cm CanonicalizeHostname 308is set to |
328.Dq always , | 309.Cm always , |
329then canonicalization is applied to proxied connections too. 330.Pp 331If this option is enabled, then the configuration files are processed 332again using the new target name to pick up any new configuration in matching 333.Cm Host 334and 335.Cm Match 336stanzas. 337.It Cm CanonicalizeMaxDots 338Specifies the maximum number of dot characters in a hostname before 339canonicalization is disabled. | 310then canonicalization is applied to proxied connections too. 311.Pp 312If this option is enabled, then the configuration files are processed 313again using the new target name to pick up any new configuration in matching 314.Cm Host 315and 316.Cm Match 317stanzas. 318.It Cm CanonicalizeMaxDots 319Specifies the maximum number of dot characters in a hostname before 320canonicalization is disabled. |
340The default, 341.Dq 1 , | 321The default, 1, |
342allows a single dot (i.e. hostname.subdomain). 343.It Cm CanonicalizePermittedCNAMEs 344Specifies rules to determine whether CNAMEs should be followed when 345canonicalizing hostnames. 346The rules consist of one or more arguments of 347.Ar source_domain_list : Ns Ar target_domain_list , 348where 349.Ar source_domain_list 350is a pattern-list of domains that may follow CNAMEs in canonicalization, 351and 352.Ar target_domain_list 353is a pattern-list of domains that they may resolve to. 354.Pp 355For example, | 322allows a single dot (i.e. hostname.subdomain). 323.It Cm CanonicalizePermittedCNAMEs 324Specifies rules to determine whether CNAMEs should be followed when 325canonicalizing hostnames. 326The rules consist of one or more arguments of 327.Ar source_domain_list : Ns Ar target_domain_list , 328where 329.Ar source_domain_list 330is a pattern-list of domains that may follow CNAMEs in canonicalization, 331and 332.Ar target_domain_list 333is a pattern-list of domains that they may resolve to. 334.Pp 335For example, |
356.Dq *.a.example.com:*.b.example.com,*.c.example.com | 336.Qq *.a.example.com:*.b.example.com,*.c.example.com |
357will allow hostnames matching | 337will allow hostnames matching |
358.Dq *.a.example.com | 338.Qq *.a.example.com |
359to be canonicalized to names in the | 339to be canonicalized to names in the |
360.Dq *.b.example.com | 340.Qq *.b.example.com |
361or | 341or |
362.Dq *.c.example.com | 342.Qq *.c.example.com |
363domains. 364.It Cm CertificateFile 365Specifies a file from which the user's certificate is read. 366A corresponding private key must be provided separately in order 367to use this certificate either 368from an 369.Cm IdentityFile 370directive or 371.Fl i 372flag to 373.Xr ssh 1 , 374via 375.Xr ssh-agent 1 , 376or via a 377.Cm PKCS11Provider . 378.Pp | 343domains. 344.It Cm CertificateFile 345Specifies a file from which the user's certificate is read. 346A corresponding private key must be provided separately in order 347to use this certificate either 348from an 349.Cm IdentityFile 350directive or 351.Fl i 352flag to 353.Xr ssh 1 , 354via 355.Xr ssh-agent 1 , 356or via a 357.Cm PKCS11Provider . 358.Pp |
379The file name may use the tilde 380syntax to refer to a user's home directory or one of the following 381escape characters: 382.Ql %d 383(local user's home directory), 384.Ql %u 385(local user name), 386.Ql %l 387(local host name), 388.Ql %h 389(remote host name) or 390.Ql %r 391(remote user name). | 359Arguments to 360.Cm CertificateFile 361may use the tilde syntax to refer to a user's home directory 362or the tokens described in the 363.Sx TOKENS 364section. |
392.Pp 393It is possible to have multiple certificate files specified in 394configuration files; these certificates will be tried in sequence. 395Multiple 396.Cm CertificateFile 397directives will add to the list of certificates used for 398authentication. 399.It Cm ChallengeResponseAuthentication 400Specifies whether to use challenge-response authentication. 401The argument to this keyword must be | 365.Pp 366It is possible to have multiple certificate files specified in 367configuration files; these certificates will be tried in sequence. 368Multiple 369.Cm CertificateFile 370directives will add to the list of certificates used for 371authentication. 372.It Cm ChallengeResponseAuthentication 373Specifies whether to use challenge-response authentication. 374The argument to this keyword must be |
402.Dq yes | 375.Cm yes 376(the default) |
403or | 377or |
404.Dq no . 405The default is 406.Dq yes . | 378.Cm no . |
407.It Cm CheckHostIP | 379.It Cm CheckHostIP |
408If this flag is set to 409.Dq yes , | 380If set to 381.Cm yes , |
410.Xr ssh 1 411will additionally check the host IP address in the 412.Pa known_hosts 413file. | 382.Xr ssh 1 383will additionally check the host IP address in the 384.Pa known_hosts 385file. |
414This allows ssh to detect if a host key changed due to DNS spoofing | 386This allows it to detect if a host key changed due to DNS spoofing |
415and will add addresses of destination hosts to 416.Pa ~/.ssh/known_hosts 417in the process, regardless of the setting of 418.Cm StrictHostKeyChecking . 419If the option is set to | 387and will add addresses of destination hosts to 388.Pa ~/.ssh/known_hosts 389in the process, regardless of the setting of 390.Cm StrictHostKeyChecking . 391If the option is set to |
420.Dq no , | 392.Cm no , |
421the check will not be executed. 422The default is | 393the check will not be executed. 394The default is |
423.Dq no . | 395.Cm no . |
424.It Cm Cipher 425Specifies the cipher to use for encrypting the session 426in protocol version 1. 427Currently, | 396.It Cm Cipher 397Specifies the cipher to use for encrypting the session 398in protocol version 1. 399Currently, |
428.Dq blowfish , 429.Dq 3des , | 400.Cm blowfish , 401.Cm 3des 402(the default), |
430and | 403and |
431.Dq des 432are supported. 433.Ar des | 404.Cm des 405are supported, 406though 407.Cm des |
434is only supported in the 435.Xr ssh 1 | 408is only supported in the 409.Xr ssh 1 |
436client for interoperability with legacy protocol 1 implementations 437that do not support the 438.Ar 3des 439cipher. 440Its use is strongly discouraged due to cryptographic weaknesses. 441The default is 442.Dq 3des . | 410client for interoperability with legacy protocol 1 implementations; 411its use is strongly discouraged due to cryptographic weaknesses. |
443.It Cm Ciphers 444Specifies the ciphers allowed for protocol version 2 445in order of preference. 446Multiple ciphers must be comma-separated. 447If the specified value begins with a 448.Sq + 449character, then the specified ciphers will be appended to the default set 450instead of replacing them. 451.Pp 452The supported ciphers are: | 412.It Cm Ciphers 413Specifies the ciphers allowed for protocol version 2 414in order of preference. 415Multiple ciphers must be comma-separated. 416If the specified value begins with a 417.Sq + 418character, then the specified ciphers will be appended to the default set 419instead of replacing them. 420.Pp 421The supported ciphers are: |
453.Pp 454.Bl -item -compact -offset indent 455.It | 422.Bd -literal -offset indent |
4563des-cbc | 4233des-cbc |
457.It | |
458aes128-cbc | 424aes128-cbc |
459.It | |
460aes192-cbc | 425aes192-cbc |
461.It | |
462aes256-cbc | 426aes256-cbc |
463.It | |
464aes128-ctr | 427aes128-ctr |
465.It | |
466aes192-ctr | 428aes192-ctr |
467.It | |
468aes256-ctr | 429aes256-ctr |
469.It | |
470aes128-gcm@openssh.com | 430aes128-gcm@openssh.com |
471.It | |
472aes256-gcm@openssh.com | 431aes256-gcm@openssh.com |
473.It | |
474arcfour | 432arcfour |
475.It | |
476arcfour128 | 433arcfour128 |
477.It | |
478arcfour256 | 434arcfour256 |
479.It | |
480blowfish-cbc | 435blowfish-cbc |
481.It | |
482cast128-cbc | 436cast128-cbc |
483.It | |
484chacha20-poly1305@openssh.com | 437chacha20-poly1305@openssh.com |
485.El | 438.Ed |
486.Pp 487The default is: 488.Bd -literal -offset indent 489chacha20-poly1305@openssh.com, 490aes128-ctr,aes192-ctr,aes256-ctr, 491aes128-gcm@openssh.com,aes256-gcm@openssh.com, | 439.Pp 440The default is: 441.Bd -literal -offset indent 442chacha20-poly1305@openssh.com, 443aes128-ctr,aes192-ctr,aes256-ctr, 444aes128-gcm@openssh.com,aes256-gcm@openssh.com, |
492aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc | 445aes128-cbc,aes192-cbc,aes256-cbc |
493.Ed 494.Pp | 446.Ed 447.Pp |
495The list of available ciphers may also be obtained using the 496.Fl Q 497option of 498.Xr ssh 1 499with an argument of 500.Dq cipher . | 448The list of available ciphers may also be obtained using 449.Qq ssh -Q cipher . |
501.It Cm ClearAllForwardings 502Specifies that all local, remote, and dynamic port forwardings 503specified in the configuration files or on the command line be 504cleared. 505This option is primarily useful when used from the 506.Xr ssh 1 507command line to clear port forwardings set in 508configuration files, and is automatically set by 509.Xr scp 1 510and 511.Xr sftp 1 . 512The argument must be | 450.It Cm ClearAllForwardings 451Specifies that all local, remote, and dynamic port forwardings 452specified in the configuration files or on the command line be 453cleared. 454This option is primarily useful when used from the 455.Xr ssh 1 456command line to clear port forwardings set in 457configuration files, and is automatically set by 458.Xr scp 1 459and 460.Xr sftp 1 . 461The argument must be |
513.Dq yes | 462.Cm yes |
514or | 463or |
515.Dq no . 516The default is 517.Dq no . | 464.Cm no 465(the default). |
518.It Cm Compression 519Specifies whether to use compression. 520The argument must be | 466.It Cm Compression 467Specifies whether to use compression. 468The argument must be |
521.Dq yes | 469.Cm yes |
522or | 470or |
523.Dq no . 524The default is 525.Dq no . | 471.Cm no 472(the default). |
526.It Cm CompressionLevel 527Specifies the compression level to use if compression is enabled. 528The argument must be an integer from 1 (fast) to 9 (slow, best). 529The default level is 6, which is good for most applications. 530The meaning of the values is the same as in 531.Xr gzip 1 . 532Note that this option applies to protocol version 1 only. 533.It Cm ConnectionAttempts --- 4 unchanged lines hidden (view full) --- 538.It Cm ConnectTimeout 539Specifies the timeout (in seconds) used when connecting to the 540SSH server, instead of using the default system TCP timeout. 541This value is used only when the target is down or really unreachable, 542not when it refuses the connection. 543.It Cm ControlMaster 544Enables the sharing of multiple sessions over a single network connection. 545When set to | 473.It Cm CompressionLevel 474Specifies the compression level to use if compression is enabled. 475The argument must be an integer from 1 (fast) to 9 (slow, best). 476The default level is 6, which is good for most applications. 477The meaning of the values is the same as in 478.Xr gzip 1 . 479Note that this option applies to protocol version 1 only. 480.It Cm ConnectionAttempts --- 4 unchanged lines hidden (view full) --- 485.It Cm ConnectTimeout 486Specifies the timeout (in seconds) used when connecting to the 487SSH server, instead of using the default system TCP timeout. 488This value is used only when the target is down or really unreachable, 489not when it refuses the connection. 490.It Cm ControlMaster 491Enables the sharing of multiple sessions over a single network connection. 492When set to |
546.Dq yes , | 493.Cm yes , |
547.Xr ssh 1 548will listen for connections on a control socket specified using the 549.Cm ControlPath 550argument. 551Additional sessions can connect to this socket using the same 552.Cm ControlPath 553with 554.Cm ControlMaster 555set to | 494.Xr ssh 1 495will listen for connections on a control socket specified using the 496.Cm ControlPath 497argument. 498Additional sessions can connect to this socket using the same 499.Cm ControlPath 500with 501.Cm ControlMaster 502set to |
556.Dq no | 503.Cm no |
557(the default). 558These sessions will try to reuse the master instance's network connection 559rather than initiating new ones, but will fall back to connecting normally 560if the control socket does not exist, or is not listening. 561.Pp 562Setting this to | 504(the default). 505These sessions will try to reuse the master instance's network connection 506rather than initiating new ones, but will fall back to connecting normally 507if the control socket does not exist, or is not listening. 508.Pp 509Setting this to |
563.Dq ask 564will cause ssh | 510.Cm ask 511will cause 512.Xr ssh 1 |
565to listen for control connections, but require confirmation using 566.Xr ssh-askpass 1 . 567If the 568.Cm ControlPath 569cannot be opened, | 513to listen for control connections, but require confirmation using 514.Xr ssh-askpass 1 . 515If the 516.Cm ControlPath 517cannot be opened, |
570ssh will continue without connecting to a master instance. | 518.Xr ssh 1 519will continue without connecting to a master instance. |
571.Pp 572X11 and 573.Xr ssh-agent 1 574forwarding is supported over these multiplexed connections, however the 575display and agent forwarded will be the one belonging to the master 576connection i.e. it is not possible to forward multiple displays or agents. 577.Pp 578Two additional options allow for opportunistic multiplexing: try to use a 579master connection but fall back to creating a new one if one does not already 580exist. 581These options are: | 520.Pp 521X11 and 522.Xr ssh-agent 1 523forwarding is supported over these multiplexed connections, however the 524display and agent forwarded will be the one belonging to the master 525connection i.e. it is not possible to forward multiple displays or agents. 526.Pp 527Two additional options allow for opportunistic multiplexing: try to use a 528master connection but fall back to creating a new one if one does not already 529exist. 530These options are: |
582.Dq auto | 531.Cm auto |
583and | 532and |
584.Dq autoask . | 533.Cm autoask . |
585The latter requires confirmation like the | 534The latter requires confirmation like the |
586.Dq ask | 535.Cm ask |
587option. 588.It Cm ControlPath 589Specify the path to the control socket used for connection sharing as described 590in the 591.Cm ControlMaster 592section above or the string | 536option. 537.It Cm ControlPath 538Specify the path to the control socket used for connection sharing as described 539in the 540.Cm ControlMaster 541section above or the string |
593.Dq none | 542.Cm none |
594to disable connection sharing. | 543to disable connection sharing. |
595In the path, 596.Ql %L 597will be substituted by the first component of the local host name, 598.Ql %l 599will be substituted by the local host name (including any domain name), 600.Ql %h 601will be substituted by the target host name, 602.Ql %n 603will be substituted by the original target host name 604specified on the command line, 605.Ql %p 606the destination port, 607.Ql %r 608by the remote login username, 609.Ql %u 610by the username and 611.Ql %i 612by the numeric user ID (uid) of the user running 613.Xr ssh 1 , 614and 615.Ql \&%C 616by a hash of the concatenation: %l%h%p%r. | 544Arguments to 545.Cm ControlPath 546may use the tilde syntax to refer to a user's home directory 547or the tokens described in the 548.Sx TOKENS 549section. |
617It is recommended that any 618.Cm ControlPath 619used for opportunistic connection sharing include 620at least %h, %p, and %r (or alternatively %C) and be placed in a directory 621that is not writable by other users. 622This ensures that shared connections are uniquely identified. 623.It Cm ControlPersist 624When used in conjunction with 625.Cm ControlMaster , 626specifies that the master connection should remain open 627in the background (waiting for future client connections) 628after the initial client connection has been closed. 629If set to | 550It is recommended that any 551.Cm ControlPath 552used for opportunistic connection sharing include 553at least %h, %p, and %r (or alternatively %C) and be placed in a directory 554that is not writable by other users. 555This ensures that shared connections are uniquely identified. 556.It Cm ControlPersist 557When used in conjunction with 558.Cm ControlMaster , 559specifies that the master connection should remain open 560in the background (waiting for future client connections) 561after the initial client connection has been closed. 562If set to |
630.Dq no , | 563.Cm no , |
631then the master connection will not be placed into the background, 632and will close as soon as the initial client connection is closed. 633If set to | 564then the master connection will not be placed into the background, 565and will close as soon as the initial client connection is closed. 566If set to |
634.Dq yes 635or 636.Dq 0 , | 567.Cm yes 568or 0, |
637then the master connection will remain in the background indefinitely 638(until killed or closed via a mechanism such as the | 569then the master connection will remain in the background indefinitely 570(until killed or closed via a mechanism such as the |
639.Xr ssh 1 640.Dq Fl O No exit 641option). | 571.Qq ssh -O exit ) . |
642If set to a time in seconds, or a time in any of the formats documented in 643.Xr sshd_config 5 , 644then the backgrounded master connection will automatically terminate 645after it has remained idle (with no client connections) for the 646specified time. 647.It Cm DynamicForward 648Specifies that a TCP port on the local machine be forwarded 649over the secure channel, and the application --- 9 unchanged lines hidden (view full) --- 659.Cm GatewayPorts 660setting. 661However, an explicit 662.Ar bind_address 663may be used to bind the connection to a specific address. 664The 665.Ar bind_address 666of | 572If set to a time in seconds, or a time in any of the formats documented in 573.Xr sshd_config 5 , 574then the backgrounded master connection will automatically terminate 575after it has remained idle (with no client connections) for the 576specified time. 577.It Cm DynamicForward 578Specifies that a TCP port on the local machine be forwarded 579over the secure channel, and the application --- 9 unchanged lines hidden (view full) --- 589.Cm GatewayPorts 590setting. 591However, an explicit 592.Ar bind_address 593may be used to bind the connection to a specific address. 594The 595.Ar bind_address 596of |
667.Dq localhost | 597.Cm localhost |
668indicates that the listening port be bound for local use only, while an 669empty address or 670.Sq * 671indicates that the port should be available from all interfaces. 672.Pp 673Currently the SOCKS4 and SOCKS5 protocols are supported, and 674.Xr ssh 1 675will act as a SOCKS server. 676Multiple forwardings may be specified, and 677additional forwardings can be given on the command line. 678Only the superuser can forward privileged ports. 679.It Cm EnableSSHKeysign 680Setting this option to | 598indicates that the listening port be bound for local use only, while an 599empty address or 600.Sq * 601indicates that the port should be available from all interfaces. 602.Pp 603Currently the SOCKS4 and SOCKS5 protocols are supported, and 604.Xr ssh 1 605will act as a SOCKS server. 606Multiple forwardings may be specified, and 607additional forwardings can be given on the command line. 608Only the superuser can forward privileged ports. 609.It Cm EnableSSHKeysign 610Setting this option to |
681.Dq yes | 611.Cm yes |
682in the global client configuration file 683.Pa /etc/ssh/ssh_config 684enables the use of the helper program 685.Xr ssh-keysign 8 686during 687.Cm HostbasedAuthentication . 688The argument must be | 612in the global client configuration file 613.Pa /etc/ssh/ssh_config 614enables the use of the helper program 615.Xr ssh-keysign 8 616during 617.Cm HostbasedAuthentication . 618The argument must be |
689.Dq yes | 619.Cm yes |
690or | 620or |
691.Dq no . 692The default is 693.Dq no . | 621.Cm no 622(the default). |
694This option should be placed in the non-hostspecific section. 695See 696.Xr ssh-keysign 8 697for more information. 698.It Cm EscapeChar 699Sets the escape character (default: 700.Ql ~ ) . 701The escape character can also 702be set on the command line. 703The argument should be a single character, 704.Ql ^ 705followed by a letter, or | 623This option should be placed in the non-hostspecific section. 624See 625.Xr ssh-keysign 8 626for more information. 627.It Cm EscapeChar 628Sets the escape character (default: 629.Ql ~ ) . 630The escape character can also 631be set on the command line. 632The argument should be a single character, 633.Ql ^ 634followed by a letter, or |
706.Dq none | 635.Cm none |
707to disable the escape 708character entirely (making the connection transparent for binary 709data). 710.It Cm ExitOnForwardFailure 711Specifies whether 712.Xr ssh 1 713should terminate the connection if it cannot set up all requested 714dynamic, tunnel, local, and remote port forwardings, (e.g.\& 715if either end is unable to bind and listen on a specified port). 716Note that 717.Cm ExitOnForwardFailure 718does not apply to connections made over port forwardings and will not, 719for example, cause 720.Xr ssh 1 721to exit if TCP connections to the ultimate forwarding destination fail. 722The argument must be | 636to disable the escape 637character entirely (making the connection transparent for binary 638data). 639.It Cm ExitOnForwardFailure 640Specifies whether 641.Xr ssh 1 642should terminate the connection if it cannot set up all requested 643dynamic, tunnel, local, and remote port forwardings, (e.g.\& 644if either end is unable to bind and listen on a specified port). 645Note that 646.Cm ExitOnForwardFailure 647does not apply to connections made over port forwardings and will not, 648for example, cause 649.Xr ssh 1 650to exit if TCP connections to the ultimate forwarding destination fail. 651The argument must be |
723.Dq yes | 652.Cm yes |
724or | 653or |
725.Dq no . 726The default is 727.Dq no . | 654.Cm no 655(the default). |
728.It Cm FingerprintHash 729Specifies the hash algorithm used when displaying key fingerprints. 730Valid options are: | 656.It Cm FingerprintHash 657Specifies the hash algorithm used when displaying key fingerprints. 658Valid options are: |
731.Dq md5 | 659.Cm md5 |
732and | 660and |
733.Dq sha256 . 734The default is 735.Dq sha256 . | 661.Cm sha256 662(the default). |
736.It Cm ForwardAgent 737Specifies whether the connection to the authentication agent (if any) 738will be forwarded to the remote machine. 739The argument must be | 663.It Cm ForwardAgent 664Specifies whether the connection to the authentication agent (if any) 665will be forwarded to the remote machine. 666The argument must be |
740.Dq yes | 667.Cm yes |
741or | 668or |
742.Dq no . 743The default is 744.Dq no . | 669.Cm no 670(the default). |
745.Pp 746Agent forwarding should be enabled with caution. 747Users with the ability to bypass file permissions on the remote host 748(for the agent's Unix-domain socket) 749can access the local agent through the forwarded connection. 750An attacker cannot obtain key material from the agent, 751however they can perform operations on the keys that enable them to 752authenticate using the identities loaded into the agent. 753.It Cm ForwardX11 754Specifies whether X11 connections will be automatically redirected 755over the secure channel and 756.Ev DISPLAY 757set. 758The argument must be | 671.Pp 672Agent forwarding should be enabled with caution. 673Users with the ability to bypass file permissions on the remote host 674(for the agent's Unix-domain socket) 675can access the local agent through the forwarded connection. 676An attacker cannot obtain key material from the agent, 677however they can perform operations on the keys that enable them to 678authenticate using the identities loaded into the agent. 679.It Cm ForwardX11 680Specifies whether X11 connections will be automatically redirected 681over the secure channel and 682.Ev DISPLAY 683set. 684The argument must be |
759.Dq yes | 685.Cm yes |
760or | 686or |
761.Dq no . 762The default is 763.Dq no . | 687.Cm no 688(the default). |
764.Pp 765X11 forwarding should be enabled with caution. 766Users with the ability to bypass file permissions on the remote host 767(for the user's X11 authorization database) 768can access the local X11 display through the forwarded connection. 769An attacker may then be able to perform activities such as keystroke monitoring 770if the 771.Cm ForwardX11Trusted 772option is also enabled. 773.It Cm ForwardX11Timeout 774Specify a timeout for untrusted X11 forwarding 775using the format described in the | 689.Pp 690X11 forwarding should be enabled with caution. 691Users with the ability to bypass file permissions on the remote host 692(for the user's X11 authorization database) 693can access the local X11 display through the forwarded connection. 694An attacker may then be able to perform activities such as keystroke monitoring 695if the 696.Cm ForwardX11Trusted 697option is also enabled. 698.It Cm ForwardX11Timeout 699Specify a timeout for untrusted X11 forwarding 700using the format described in the |
776TIME FORMATS section of | 701.Sx TIME FORMATS 702section of |
777.Xr sshd_config 5 . 778X11 connections received by 779.Xr ssh 1 780after this time will be refused. 781The default is to disable untrusted X11 forwarding after twenty minutes has 782elapsed. 783.It Cm ForwardX11Trusted 784If this option is set to | 703.Xr sshd_config 5 . 704X11 connections received by 705.Xr ssh 1 706after this time will be refused. 707The default is to disable untrusted X11 forwarding after twenty minutes has 708elapsed. 709.It Cm ForwardX11Trusted 710If this option is set to |
785.Dq yes , | 711.Cm yes , |
786remote X11 clients will have full access to the original X11 display. 787.Pp 788If this option is set to | 712remote X11 clients will have full access to the original X11 display. 713.Pp 714If this option is set to |
789.Dq no , | 715.Cm no 716(the default), |
790remote X11 clients will be considered untrusted and prevented 791from stealing or tampering with data belonging to trusted X11 792clients. 793Furthermore, the 794.Xr xauth 1 795token used for the session will be set to expire after 20 minutes. 796Remote clients will be refused access after this time. 797.Pp | 717remote X11 clients will be considered untrusted and prevented 718from stealing or tampering with data belonging to trusted X11 719clients. 720Furthermore, the 721.Xr xauth 1 722token used for the session will be set to expire after 20 minutes. 723Remote clients will be refused access after this time. 724.Pp |
798The default is 799.Dq no . 800.Pp | |
801See the X11 SECURITY extension specification for full details on 802the restrictions imposed on untrusted clients. 803.It Cm GatewayPorts 804Specifies whether remote hosts are allowed to connect to local 805forwarded ports. 806By default, 807.Xr ssh 1 808binds local port forwardings to the loopback address. 809This prevents other remote hosts from connecting to forwarded ports. 810.Cm GatewayPorts 811can be used to specify that ssh 812should bind local port forwardings to the wildcard address, 813thus allowing remote hosts to connect to forwarded ports. 814The argument must be | 725See the X11 SECURITY extension specification for full details on 726the restrictions imposed on untrusted clients. 727.It Cm GatewayPorts 728Specifies whether remote hosts are allowed to connect to local 729forwarded ports. 730By default, 731.Xr ssh 1 732binds local port forwardings to the loopback address. 733This prevents other remote hosts from connecting to forwarded ports. 734.Cm GatewayPorts 735can be used to specify that ssh 736should bind local port forwardings to the wildcard address, 737thus allowing remote hosts to connect to forwarded ports. 738The argument must be |
815.Dq yes | 739.Cm yes |
816or | 740or |
817.Dq no . 818The default is 819.Dq no . | 741.Cm no 742(the default). |
820.It Cm GlobalKnownHostsFile 821Specifies one or more files to use for the global 822host key database, separated by whitespace. 823The default is 824.Pa /etc/ssh/ssh_known_hosts , 825.Pa /etc/ssh/ssh_known_hosts2 . 826.It Cm GSSAPIAuthentication 827Specifies whether user authentication based on GSSAPI is allowed. 828The default is | 743.It Cm GlobalKnownHostsFile 744Specifies one or more files to use for the global 745host key database, separated by whitespace. 746The default is 747.Pa /etc/ssh/ssh_known_hosts , 748.Pa /etc/ssh/ssh_known_hosts2 . 749.It Cm GSSAPIAuthentication 750Specifies whether user authentication based on GSSAPI is allowed. 751The default is |
829.Dq no . | 752.Cm no . |
830.It Cm GSSAPIDelegateCredentials 831Forward (delegate) credentials to the server. 832The default is | 753.It Cm GSSAPIDelegateCredentials 754Forward (delegate) credentials to the server. 755The default is |
833.Dq no . | 756.Cm no . |
834.It Cm HashKnownHosts 835Indicates that 836.Xr ssh 1 837should hash host names and addresses when they are added to 838.Pa ~/.ssh/known_hosts . 839These hashed names may be used normally by 840.Xr ssh 1 841and 842.Xr sshd 8 , 843but they do not reveal identifying information should the file's contents 844be disclosed. 845The default is | 757.It Cm HashKnownHosts 758Indicates that 759.Xr ssh 1 760should hash host names and addresses when they are added to 761.Pa ~/.ssh/known_hosts . 762These hashed names may be used normally by 763.Xr ssh 1 764and 765.Xr sshd 8 , 766but they do not reveal identifying information should the file's contents 767be disclosed. 768The default is |
846.Dq no . | 769.Cm no . |
847Note that existing names and addresses in known hosts files 848will not be converted automatically, 849but may be manually hashed using 850.Xr ssh-keygen 1 . 851.It Cm HostbasedAuthentication 852Specifies whether to try rhosts based authentication with public key 853authentication. 854The argument must be | 770Note that existing names and addresses in known hosts files 771will not be converted automatically, 772but may be manually hashed using 773.Xr ssh-keygen 1 . 774.It Cm HostbasedAuthentication 775Specifies whether to try rhosts based authentication with public key 776authentication. 777The argument must be |
855.Dq yes | 778.Cm yes |
856or | 779or |
857.Dq no . 858The default is 859.Dq no . | 780.Cm no 781(the default). |
860.It Cm HostbasedKeyTypes 861Specifies the key types that will be used for hostbased authentication 862as a comma-separated pattern list. 863Alternately if the specified value begins with a 864.Sq + 865character, then the specified key types will be appended to the default set 866instead of replacing them. 867The default for this option is: --- 28 unchanged lines hidden (view full) --- 896ssh-rsa-cert-v01@openssh.com, 897ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 898ssh-ed25519,ssh-rsa 899.Ed 900.Pp 901If hostkeys are known for the destination host then this default is modified 902to prefer their algorithms. 903.Pp | 782.It Cm HostbasedKeyTypes 783Specifies the key types that will be used for hostbased authentication 784as a comma-separated pattern list. 785Alternately if the specified value begins with a 786.Sq + 787character, then the specified key types will be appended to the default set 788instead of replacing them. 789The default for this option is: --- 28 unchanged lines hidden (view full) --- 818ssh-rsa-cert-v01@openssh.com, 819ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 820ssh-ed25519,ssh-rsa 821.Ed 822.Pp 823If hostkeys are known for the destination host then this default is modified 824to prefer their algorithms. 825.Pp |
904The list of available key types may also be obtained using the 905.Fl Q 906option of 907.Xr ssh 1 908with an argument of 909.Dq key . | 826The list of available key types may also be obtained using 827.Qq ssh -Q key . |
910.It Cm HostKeyAlias 911Specifies an alias that should be used instead of the 912real host name when looking up or saving the host key 913in the host key database files. 914This option is useful for tunneling SSH connections 915or for multiple servers running on a single host. 916.It Cm HostName 917Specifies the real host name to log into. 918This can be used to specify nicknames or abbreviations for hosts. | 828.It Cm HostKeyAlias 829Specifies an alias that should be used instead of the 830real host name when looking up or saving the host key 831in the host key database files. 832This option is useful for tunneling SSH connections 833or for multiple servers running on a single host. 834.It Cm HostName 835Specifies the real host name to log into. 836This can be used to specify nicknames or abbreviations for hosts. |
919If the hostname contains the character sequence 920.Ql %h , 921then this will be replaced with the host name specified on the command line 922(this is useful for manipulating unqualified names). 923The character sequence 924.Ql %% 925will be replaced by a single 926.Ql % 927character, which may be used when specifying IPv6 link-local addresses. 928.Pp 929The default is the name given on the command line. | 837Arguments to 838.Cm HostName 839accept the tokens described in the 840.Sx TOKENS 841section. |
930Numeric IP addresses are also permitted (both on the command line and in 931.Cm HostName 932specifications). | 842Numeric IP addresses are also permitted (both on the command line and in 843.Cm HostName 844specifications). |
845The default is the name given on the command line. |
|
933.It Cm IdentitiesOnly 934Specifies that 935.Xr ssh 1 936should only use the authentication identity and certificate files explicitly 937configured in the 938.Nm 939files 940or passed on the 941.Xr ssh 1 942command-line, 943even if 944.Xr ssh-agent 1 945or a 946.Cm PKCS11Provider 947offers more identities. 948The argument to this keyword must be | 846.It Cm IdentitiesOnly 847Specifies that 848.Xr ssh 1 849should only use the authentication identity and certificate files explicitly 850configured in the 851.Nm 852files 853or passed on the 854.Xr ssh 1 855command-line, 856even if 857.Xr ssh-agent 1 858or a 859.Cm PKCS11Provider 860offers more identities. 861The argument to this keyword must be |
949.Dq yes | 862.Cm yes |
950or | 863or |
951.Dq no . | 864.Cm no 865(the default). |
952This option is intended for situations where ssh-agent 953offers many different identities. | 866This option is intended for situations where ssh-agent 867offers many different identities. |
954The default is 955.Dq no . | |
956.It Cm IdentityAgent 957Specifies the 958.Ux Ns -domain 959socket used to communicate with the authentication agent. 960.Pp 961This option overrides the | 868.It Cm IdentityAgent 869Specifies the 870.Ux Ns -domain 871socket used to communicate with the authentication agent. 872.Pp 873This option overrides the |
962.Dq SSH_AUTH_SOCK | 874.Ev SSH_AUTH_SOCK |
963environment variable and can be used to select a specific agent. 964Setting the socket name to | 875environment variable and can be used to select a specific agent. 876Setting the socket name to |
965.Dq none | 877.Cm none |
966disables the use of an authentication agent. 967If the string | 878disables the use of an authentication agent. 879If the string |
968.Dq SSH_AUTH_SOCK | 880.Qq SSH_AUTH_SOCK |
969is specified, the location of the socket will be read from the 970.Ev SSH_AUTH_SOCK 971environment variable. 972.Pp | 881is specified, the location of the socket will be read from the 882.Ev SSH_AUTH_SOCK 883environment variable. 884.Pp |
973The socket name may use the tilde 974syntax to refer to a user's home directory or one of the following 975escape characters: 976.Ql %d 977(local user's home directory), 978.Ql %u 979(local user name), 980.Ql %l 981(local host name), 982.Ql %h 983(remote host name) or 984.Ql %r 985(remote user name). | 885Arguments to 886.Cm IdentityAgent 887may use the tilde syntax to refer to a user's home directory 888or the tokens described in the 889.Sx TOKENS 890section. |
986.It Cm IdentityFile 987Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication 988identity is read. 989The default is 990.Pa ~/.ssh/identity 991for protocol version 1, and 992.Pa ~/.ssh/id_dsa , 993.Pa ~/.ssh/id_ecdsa , --- 9 unchanged lines hidden (view full) --- 1003.Cm CertificateFile , 1004.Xr ssh 1 1005will try to load certificate information from the filename obtained by 1006appending 1007.Pa -cert.pub 1008to the path of a specified 1009.Cm IdentityFile . 1010.Pp | 891.It Cm IdentityFile 892Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication 893identity is read. 894The default is 895.Pa ~/.ssh/identity 896for protocol version 1, and 897.Pa ~/.ssh/id_dsa , 898.Pa ~/.ssh/id_ecdsa , --- 9 unchanged lines hidden (view full) --- 908.Cm CertificateFile , 909.Xr ssh 1 910will try to load certificate information from the filename obtained by 911appending 912.Pa -cert.pub 913to the path of a specified 914.Cm IdentityFile . 915.Pp |
1011The file name may use the tilde 1012syntax to refer to a user's home directory or one of the following 1013escape characters: 1014.Ql %d 1015(local user's home directory), 1016.Ql %u 1017(local user name), 1018.Ql %l 1019(local host name), 1020.Ql %h 1021(remote host name) or 1022.Ql %r 1023(remote user name). | 916Arguments to 917.Cm IdentityFile 918may use the tilde syntax to refer to a user's home directory 919or the tokens described in the 920.Sx TOKENS 921section. |
1024.Pp 1025It is possible to have 1026multiple identity files specified in configuration files; all these 1027identities will be tried in sequence. 1028Multiple 1029.Cm IdentityFile 1030directives will add to the list of identities tried (this behaviour 1031differs from that of other configuration directives). --- 18 unchanged lines hidden (view full) --- 1050.Cm IgnoreUnknown 1051be listed early in the configuration file as it will not be applied 1052to unknown options that appear before it. 1053.It Cm Include 1054Include the specified configuration file(s). 1055Multiple pathnames may be specified and each pathname may contain 1056.Xr glob 3 1057wildcards and, for user configurations, shell-like | 922.Pp 923It is possible to have 924multiple identity files specified in configuration files; all these 925identities will be tried in sequence. 926Multiple 927.Cm IdentityFile 928directives will add to the list of identities tried (this behaviour 929differs from that of other configuration directives). --- 18 unchanged lines hidden (view full) --- 948.Cm IgnoreUnknown 949be listed early in the configuration file as it will not be applied 950to unknown options that appear before it. 951.It Cm Include 952Include the specified configuration file(s). 953Multiple pathnames may be specified and each pathname may contain 954.Xr glob 3 955wildcards and, for user configurations, shell-like |
1058.Dq ~ | 956.Sq ~ |
1059references to user home directories. 1060Files without absolute paths are assumed to be in 1061.Pa ~/.ssh 1062if included in a user configuration file or 1063.Pa /etc/ssh 1064if included from the system configuration file. 1065.Cm Include 1066directive may appear inside a 1067.Cm Match 1068or 1069.Cm Host 1070block 1071to perform conditional inclusion. 1072.It Cm IPQoS 1073Specifies the IPv4 type-of-service or DSCP class for connections. 1074Accepted values are | 957references to user home directories. 958Files without absolute paths are assumed to be in 959.Pa ~/.ssh 960if included in a user configuration file or 961.Pa /etc/ssh 962if included from the system configuration file. 963.Cm Include 964directive may appear inside a 965.Cm Match 966or 967.Cm Host 968block 969to perform conditional inclusion. 970.It Cm IPQoS 971Specifies the IPv4 type-of-service or DSCP class for connections. 972Accepted values are |
1075.Dq af11 , 1076.Dq af12 , 1077.Dq af13 , 1078.Dq af21 , 1079.Dq af22 , 1080.Dq af23 , 1081.Dq af31 , 1082.Dq af32 , 1083.Dq af33 , 1084.Dq af41 , 1085.Dq af42 , 1086.Dq af43 , 1087.Dq cs0 , 1088.Dq cs1 , 1089.Dq cs2 , 1090.Dq cs3 , 1091.Dq cs4 , 1092.Dq cs5 , 1093.Dq cs6 , 1094.Dq cs7 , 1095.Dq ef , 1096.Dq lowdelay , 1097.Dq throughput , 1098.Dq reliability , | 973.Cm af11 , 974.Cm af12 , 975.Cm af13 , 976.Cm af21 , 977.Cm af22 , 978.Cm af23 , 979.Cm af31 , 980.Cm af32 , 981.Cm af33 , 982.Cm af41 , 983.Cm af42 , 984.Cm af43 , 985.Cm cs0 , 986.Cm cs1 , 987.Cm cs2 , 988.Cm cs3 , 989.Cm cs4 , 990.Cm cs5 , 991.Cm cs6 , 992.Cm cs7 , 993.Cm ef , 994.Cm lowdelay , 995.Cm throughput , 996.Cm reliability , |
1099or a numeric value. 1100This option may take one or two arguments, separated by whitespace. 1101If one argument is specified, it is used as the packet class unconditionally. 1102If two values are specified, the first is automatically selected for 1103interactive sessions and the second for non-interactive sessions. 1104The default is | 997or a numeric value. 998This option may take one or two arguments, separated by whitespace. 999If one argument is specified, it is used as the packet class unconditionally. 1000If two values are specified, the first is automatically selected for 1001interactive sessions and the second for non-interactive sessions. 1002The default is |
1105.Dq lowdelay | 1003.Cm lowdelay |
1106for interactive sessions and | 1004for interactive sessions and |
1107.Dq throughput | 1005.Cm throughput |
1108for non-interactive sessions. 1109.It Cm KbdInteractiveAuthentication 1110Specifies whether to use keyboard-interactive authentication. 1111The argument to this keyword must be | 1006for non-interactive sessions. 1007.It Cm KbdInteractiveAuthentication 1008Specifies whether to use keyboard-interactive authentication. 1009The argument to this keyword must be |
1112.Dq yes | 1010.Cm yes 1011(the default) |
1113or | 1012or |
1114.Dq no . 1115The default is 1116.Dq yes . | 1013.Cm no . |
1117.It Cm KbdInteractiveDevices 1118Specifies the list of methods to use in keyboard-interactive authentication. 1119Multiple method names must be comma-separated. 1120The default is to use the server specified list. 1121The methods available vary depending on what the server supports. 1122For an OpenSSH server, 1123it may be zero or more of: | 1014.It Cm KbdInteractiveDevices 1015Specifies the list of methods to use in keyboard-interactive authentication. 1016Multiple method names must be comma-separated. 1017The default is to use the server specified list. 1018The methods available vary depending on what the server supports. 1019For an OpenSSH server, 1020it may be zero or more of: |
1124.Dq bsdauth , 1125.Dq pam , | 1021.Cm bsdauth , 1022.Cm pam , |
1126and | 1023and |
1127.Dq skey . | 1024.Cm skey . |
1128.It Cm KexAlgorithms 1129Specifies the available KEX (Key Exchange) algorithms. 1130Multiple algorithms must be comma-separated. 1131Alternately if the specified value begins with a 1132.Sq + 1133character, then the specified methods will be appended to the default set 1134instead of replacing them. 1135The default is: 1136.Bd -literal -offset indent | 1025.It Cm KexAlgorithms 1026Specifies the available KEX (Key Exchange) algorithms. 1027Multiple algorithms must be comma-separated. 1028Alternately if the specified value begins with a 1029.Sq + 1030character, then the specified methods will be appended to the default set 1031instead of replacing them. 1032The default is: 1033.Bd -literal -offset indent |
1137curve25519-sha256@libssh.org, | 1034curve25519-sha256,curve25519-sha256@libssh.org, |
1138ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, 1139diffie-hellman-group-exchange-sha256, 1140diffie-hellman-group-exchange-sha1, 1141diffie-hellman-group14-sha1 1142.Ed 1143.Pp | 1035ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, 1036diffie-hellman-group-exchange-sha256, 1037diffie-hellman-group-exchange-sha1, 1038diffie-hellman-group14-sha1 1039.Ed 1040.Pp |
1144The list of available key exchange algorithms may also be obtained using the 1145.Fl Q 1146option of 1147.Xr ssh 1 1148with an argument of 1149.Dq kex . | 1041The list of available key exchange algorithms may also be obtained using 1042.Qq ssh -Q kex . |
1150.It Cm LocalCommand 1151Specifies a command to execute on the local machine after successfully 1152connecting to the server. 1153The command string extends to the end of the line, and is executed with 1154the user's shell. | 1043.It Cm LocalCommand 1044Specifies a command to execute on the local machine after successfully 1045connecting to the server. 1046The command string extends to the end of the line, and is executed with 1047the user's shell. |
1155The following escape character substitutions will be performed: 1156.Ql %d 1157(local user's home directory), 1158.Ql %h 1159(remote host name), 1160.Ql %l 1161(local host name), 1162.Ql %n 1163(host name as provided on the command line), 1164.Ql %p 1165(remote port), 1166.Ql %r 1167(remote user name) or 1168.Ql %u 1169(local user name) or 1170.Ql \&%C 1171by a hash of the concatenation: %l%h%p%r. | 1048Arguments to 1049.Cm LocalCommand 1050accept the tokens described in the 1051.Sx TOKENS 1052section. |
1172.Pp 1173The command is run synchronously and does not have access to the 1174session of the 1175.Xr ssh 1 1176that spawned it. 1177It should not be used for interactive commands. 1178.Pp 1179This directive is ignored unless --- 16 unchanged lines hidden (view full) --- 1196.Cm GatewayPorts 1197setting. 1198However, an explicit 1199.Ar bind_address 1200may be used to bind the connection to a specific address. 1201The 1202.Ar bind_address 1203of | 1053.Pp 1054The command is run synchronously and does not have access to the 1055session of the 1056.Xr ssh 1 1057that spawned it. 1058It should not be used for interactive commands. 1059.Pp 1060This directive is ignored unless --- 16 unchanged lines hidden (view full) --- 1077.Cm GatewayPorts 1078setting. 1079However, an explicit 1080.Ar bind_address 1081may be used to bind the connection to a specific address. 1082The 1083.Ar bind_address 1084of |
1204.Dq localhost | 1085.Cm localhost |
1205indicates that the listening port be bound for local use only, while an 1206empty address or 1207.Sq * 1208indicates that the port should be available from all interfaces. 1209.It Cm LogLevel 1210Gives the verbosity level that is used when logging messages from 1211.Xr ssh 1 . 1212The possible values are: --- 7 unchanged lines hidden (view full) --- 1220The MAC algorithm is used for data integrity protection. 1221Multiple algorithms must be comma-separated. 1222If the specified value begins with a 1223.Sq + 1224character, then the specified algorithms will be appended to the default set 1225instead of replacing them. 1226.Pp 1227The algorithms that contain | 1086indicates that the listening port be bound for local use only, while an 1087empty address or 1088.Sq * 1089indicates that the port should be available from all interfaces. 1090.It Cm LogLevel 1091Gives the verbosity level that is used when logging messages from 1092.Xr ssh 1 . 1093The possible values are: --- 7 unchanged lines hidden (view full) --- 1101The MAC algorithm is used for data integrity protection. 1102Multiple algorithms must be comma-separated. 1103If the specified value begins with a 1104.Sq + 1105character, then the specified algorithms will be appended to the default set 1106instead of replacing them. 1107.Pp 1108The algorithms that contain |
1228.Dq -etm | 1109.Qq -etm |
1229calculate the MAC after encryption (encrypt-then-mac). 1230These are considered safer and their use recommended. 1231.Pp 1232The default is: 1233.Bd -literal -offset indent 1234umac-64-etm@openssh.com,umac-128-etm@openssh.com, 1235hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, 1236hmac-sha1-etm@openssh.com, 1237umac-64@openssh.com,umac-128@openssh.com, 1238hmac-sha2-256,hmac-sha2-512,hmac-sha1 1239.Ed 1240.Pp | 1110calculate the MAC after encryption (encrypt-then-mac). 1111These are considered safer and their use recommended. 1112.Pp 1113The default is: 1114.Bd -literal -offset indent 1115umac-64-etm@openssh.com,umac-128-etm@openssh.com, 1116hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, 1117hmac-sha1-etm@openssh.com, 1118umac-64@openssh.com,umac-128@openssh.com, 1119hmac-sha2-256,hmac-sha2-512,hmac-sha1 1120.Ed 1121.Pp |
1241The list of available MAC algorithms may also be obtained using the 1242.Fl Q 1243option of 1244.Xr ssh 1 1245with an argument of 1246.Dq mac . | 1122The list of available MAC algorithms may also be obtained using 1123.Qq ssh -Q mac . |
1247.It Cm NoHostAuthenticationForLocalhost 1248This option can be used if the home directory is shared across machines. 1249In this case localhost will refer to a different machine on each of 1250the machines and the user will get many warnings about changed host keys. 1251However, this option disables host authentication for localhost. 1252The argument to this keyword must be | 1124.It Cm NoHostAuthenticationForLocalhost 1125This option can be used if the home directory is shared across machines. 1126In this case localhost will refer to a different machine on each of 1127the machines and the user will get many warnings about changed host keys. 1128However, this option disables host authentication for localhost. 1129The argument to this keyword must be |
1253.Dq yes | 1130.Cm yes |
1254or | 1131or |
1255.Dq no . 1256The default is to check the host key for localhost. | 1132.Cm no . 1133(the default). |
1257.It Cm NumberOfPasswordPrompts 1258Specifies the number of password prompts before giving up. 1259The argument to this keyword must be an integer. 1260The default is 3. 1261.It Cm PasswordAuthentication 1262Specifies whether to use password authentication. 1263The argument to this keyword must be | 1134.It Cm NumberOfPasswordPrompts 1135Specifies the number of password prompts before giving up. 1136The argument to this keyword must be an integer. 1137The default is 3. 1138.It Cm PasswordAuthentication 1139Specifies whether to use password authentication. 1140The argument to this keyword must be |
1264.Dq yes | 1141.Cm yes 1142(the default) |
1265or | 1143or |
1266.Dq no . 1267The default is 1268.Dq yes . | 1144.Cm no . |
1269.It Cm PermitLocalCommand 1270Allow local command execution via the 1271.Ic LocalCommand 1272option or using the 1273.Ic !\& Ns Ar command 1274escape sequence in 1275.Xr ssh 1 . 1276The argument must be | 1145.It Cm PermitLocalCommand 1146Allow local command execution via the 1147.Ic LocalCommand 1148option or using the 1149.Ic !\& Ns Ar command 1150escape sequence in 1151.Xr ssh 1 . 1152The argument must be |
1277.Dq yes | 1153.Cm yes |
1278or | 1154or |
1279.Dq no . 1280The default is 1281.Dq no . | 1155.Cm no 1156(the default). |
1282.It Cm PKCS11Provider 1283Specifies which PKCS#11 provider to use. 1284The argument to this keyword is the PKCS#11 shared library 1285.Xr ssh 1 1286should use to communicate with a PKCS#11 token providing the user's 1287private RSA key. 1288.It Cm Port 1289Specifies the port number to connect on the remote host. --- 8 unchanged lines hidden (view full) --- 1298.Bd -literal -offset indent 1299gssapi-with-mic,hostbased,publickey, 1300keyboard-interactive,password 1301.Ed 1302.It Cm Protocol 1303Specifies the protocol versions 1304.Xr ssh 1 1305should support in order of preference. | 1157.It Cm PKCS11Provider 1158Specifies which PKCS#11 provider to use. 1159The argument to this keyword is the PKCS#11 shared library 1160.Xr ssh 1 1161should use to communicate with a PKCS#11 token providing the user's 1162private RSA key. 1163.It Cm Port 1164Specifies the port number to connect on the remote host. --- 8 unchanged lines hidden (view full) --- 1173.Bd -literal -offset indent 1174gssapi-with-mic,hostbased,publickey, 1175keyboard-interactive,password 1176.Ed 1177.It Cm Protocol 1178Specifies the protocol versions 1179.Xr ssh 1 1180should support in order of preference. |
1306The possible values are 1307.Sq 1 1308and 1309.Sq 2 . | 1181The possible values are 1 and 2. |
1310Multiple versions must be comma-separated. 1311When this option is set to | 1182Multiple versions must be comma-separated. 1183When this option is set to |
1312.Dq 2,1 | 1184.Cm 2,1 |
1313.Nm ssh 1314will try version 2 and fall back to version 1 1315if version 2 is not available. | 1185.Nm ssh 1186will try version 2 and fall back to version 1 1187if version 2 is not available. |
1316The default is 1317.Sq 2 . | 1188The default is version 2. |
1318Protocol 1 suffers from a number of cryptographic weaknesses and should 1319not be used. 1320It is only offered to support legacy devices. 1321.It Cm ProxyCommand 1322Specifies the command to use to connect to the server. 1323The command 1324string extends to the end of the line, and is executed 1325using the user's shell 1326.Ql exec 1327directive to avoid a lingering shell process. 1328.Pp | 1189Protocol 1 suffers from a number of cryptographic weaknesses and should 1190not be used. 1191It is only offered to support legacy devices. 1192.It Cm ProxyCommand 1193Specifies the command to use to connect to the server. 1194The command 1195string extends to the end of the line, and is executed 1196using the user's shell 1197.Ql exec 1198directive to avoid a lingering shell process. 1199.Pp |
1329In the command string, any occurrence of 1330.Ql %h 1331will be substituted by the host name to 1332connect, 1333.Ql %p 1334by the port, and 1335.Ql %r 1336by the remote user name. | 1200Arguments to 1201.Cm ProxyCommand 1202accept the tokens described in the 1203.Sx TOKENS 1204section. |
1337The command can be basically anything, 1338and should read from its standard input and write to its standard output. 1339It should eventually connect an 1340.Xr sshd 8 1341server running on some machine, or execute 1342.Ic sshd -i 1343somewhere. 1344Host key management will be done using the 1345HostName of the host being connected (defaulting to the name typed by 1346the user). 1347Setting the command to | 1205The command can be basically anything, 1206and should read from its standard input and write to its standard output. 1207It should eventually connect an 1208.Xr sshd 8 1209server running on some machine, or execute 1210.Ic sshd -i 1211somewhere. 1212Host key management will be done using the 1213HostName of the host being connected (defaulting to the name typed by 1214the user). 1215Setting the command to |
1348.Dq none | 1216.Cm none |
1349disables this option entirely. 1350Note that 1351.Cm CheckHostIP 1352is not available for connects with a proxy command. 1353.Pp 1354This directive is useful in conjunction with 1355.Xr nc 1 1356and its proxy support. --- 28 unchanged lines hidden (view full) --- 1385other from taking effect. 1386.It Cm ProxyUseFdpass 1387Specifies that 1388.Cm ProxyCommand 1389will pass a connected file descriptor back to 1390.Xr ssh 1 1391instead of continuing to execute and pass data. 1392The default is | 1217disables this option entirely. 1218Note that 1219.Cm CheckHostIP 1220is not available for connects with a proxy command. 1221.Pp 1222This directive is useful in conjunction with 1223.Xr nc 1 1224and its proxy support. --- 28 unchanged lines hidden (view full) --- 1253other from taking effect. 1254.It Cm ProxyUseFdpass 1255Specifies that 1256.Cm ProxyCommand 1257will pass a connected file descriptor back to 1258.Xr ssh 1 1259instead of continuing to execute and pass data. 1260The default is |
1393.Dq no . | 1261.Cm no . |
1394.It Cm PubkeyAcceptedKeyTypes 1395Specifies the key types that will be used for public key authentication 1396as a comma-separated pattern list. 1397Alternately if the specified value begins with a 1398.Sq + 1399character, then the key types after it will be appended to the default 1400instead of replacing it. 1401The default for this option is: 1402.Bd -literal -offset 3n 1403ecdsa-sha2-nistp256-cert-v01@openssh.com, 1404ecdsa-sha2-nistp384-cert-v01@openssh.com, 1405ecdsa-sha2-nistp521-cert-v01@openssh.com, 1406ssh-ed25519-cert-v01@openssh.com, 1407ssh-rsa-cert-v01@openssh.com, 1408ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 1409ssh-ed25519,ssh-rsa 1410.Ed 1411.Pp | 1262.It Cm PubkeyAcceptedKeyTypes 1263Specifies the key types that will be used for public key authentication 1264as a comma-separated pattern list. 1265Alternately if the specified value begins with a 1266.Sq + 1267character, then the key types after it will be appended to the default 1268instead of replacing it. 1269The default for this option is: 1270.Bd -literal -offset 3n 1271ecdsa-sha2-nistp256-cert-v01@openssh.com, 1272ecdsa-sha2-nistp384-cert-v01@openssh.com, 1273ecdsa-sha2-nistp521-cert-v01@openssh.com, 1274ssh-ed25519-cert-v01@openssh.com, 1275ssh-rsa-cert-v01@openssh.com, 1276ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 1277ssh-ed25519,ssh-rsa 1278.Ed 1279.Pp |
1412The 1413.Fl Q 1414option of 1415.Xr ssh 1 1416may be used to list supported key types. | 1280The list of available key types may also be obtained using 1281.Qq ssh -Q key . |
1417.It Cm PubkeyAuthentication 1418Specifies whether to try public key authentication. 1419The argument to this keyword must be | 1282.It Cm PubkeyAuthentication 1283Specifies whether to try public key authentication. 1284The argument to this keyword must be |
1420.Dq yes | 1285.Cm yes 1286(the default) |
1421or | 1287or |
1422.Dq no . 1423The default is 1424.Dq yes . | 1288.Cm no . |
1425.It Cm RekeyLimit 1426Specifies the maximum amount of data that may be transmitted before the 1427session key is renegotiated, optionally followed a maximum amount of 1428time that may pass before the session key is renegotiated. 1429The first argument is specified in bytes and may have a suffix of 1430.Sq K , 1431.Sq M , 1432or 1433.Sq G 1434to indicate Kilobytes, Megabytes, or Gigabytes, respectively. 1435The default is between 1436.Sq 1G 1437and 1438.Sq 4G , 1439depending on the cipher. 1440The optional second value is specified in seconds and may use any of the 1441units documented in the | 1289.It Cm RekeyLimit 1290Specifies the maximum amount of data that may be transmitted before the 1291session key is renegotiated, optionally followed a maximum amount of 1292time that may pass before the session key is renegotiated. 1293The first argument is specified in bytes and may have a suffix of 1294.Sq K , 1295.Sq M , 1296or 1297.Sq G 1298to indicate Kilobytes, Megabytes, or Gigabytes, respectively. 1299The default is between 1300.Sq 1G 1301and 1302.Sq 4G , 1303depending on the cipher. 1304The optional second value is specified in seconds and may use any of the 1305units documented in the |
1442TIME FORMATS section of | 1306.Sx TIME FORMATS 1307section of |
1443.Xr sshd_config 5 . 1444The default value for 1445.Cm RekeyLimit 1446is | 1308.Xr sshd_config 5 . 1309The default value for 1310.Cm RekeyLimit 1311is |
1447.Dq default none , | 1312.Cm default none , |
1448which means that rekeying is performed after the cipher's default amount 1449of data has been sent or received and no time based rekeying is done. 1450.It Cm RemoteForward 1451Specifies that a TCP port on the remote machine be forwarded over 1452the secure channel to the specified host and port from the local machine. 1453The first argument must be 1454.Sm off 1455.Oo Ar bind_address : Oc Ar port 1456.Sm on 1457and the second argument must be 1458.Ar host : Ns Ar hostport . 1459IPv6 addresses can be specified by enclosing addresses in square brackets. 1460Multiple forwardings may be specified, and additional 1461forwardings can be given on the command line. 1462Privileged ports can be forwarded only when 1463logging in as root on the remote machine. 1464.Pp 1465If the 1466.Ar port | 1313which means that rekeying is performed after the cipher's default amount 1314of data has been sent or received and no time based rekeying is done. 1315.It Cm RemoteForward 1316Specifies that a TCP port on the remote machine be forwarded over 1317the secure channel to the specified host and port from the local machine. 1318The first argument must be 1319.Sm off 1320.Oo Ar bind_address : Oc Ar port 1321.Sm on 1322and the second argument must be 1323.Ar host : Ns Ar hostport . 1324IPv6 addresses can be specified by enclosing addresses in square brackets. 1325Multiple forwardings may be specified, and additional 1326forwardings can be given on the command line. 1327Privileged ports can be forwarded only when 1328logging in as root on the remote machine. 1329.Pp 1330If the 1331.Ar port |
1467argument is 1468.Ql 0 , | 1332argument is 0, |
1469the listen port will be dynamically allocated on the server and reported 1470to the client at run time. 1471.Pp 1472If the 1473.Ar bind_address 1474is not specified, the default is to only bind to loopback addresses. 1475If the 1476.Ar bind_address --- 5 unchanged lines hidden (view full) --- 1482.Ar bind_address 1483will only succeed if the server's 1484.Cm GatewayPorts 1485option is enabled (see 1486.Xr sshd_config 5 ) . 1487.It Cm RequestTTY 1488Specifies whether to request a pseudo-tty for the session. 1489The argument may be one of: | 1333the listen port will be dynamically allocated on the server and reported 1334to the client at run time. 1335.Pp 1336If the 1337.Ar bind_address 1338is not specified, the default is to only bind to loopback addresses. 1339If the 1340.Ar bind_address --- 5 unchanged lines hidden (view full) --- 1346.Ar bind_address 1347will only succeed if the server's 1348.Cm GatewayPorts 1349option is enabled (see 1350.Xr sshd_config 5 ) . 1351.It Cm RequestTTY 1352Specifies whether to request a pseudo-tty for the session. 1353The argument may be one of: |
1490.Dq no | 1354.Cm no |
1491(never request a TTY), | 1355(never request a TTY), |
1492.Dq yes | 1356.Cm yes |
1493(always request a TTY when standard input is a TTY), | 1357(always request a TTY when standard input is a TTY), |
1494.Dq force | 1358.Cm force |
1495(always request a TTY) or | 1359(always request a TTY) or |
1496.Dq auto | 1360.Cm auto |
1497(request a TTY when opening a login session). 1498This option mirrors the 1499.Fl t 1500and 1501.Fl T 1502flags for 1503.Xr ssh 1 . 1504.It Cm RevokedHostKeys --- 5 unchanged lines hidden (view full) --- 1510an OpenSSH Key Revocation List (KRL) as generated by 1511.Xr ssh-keygen 1 . 1512For more information on KRLs, see the KEY REVOCATION LISTS section in 1513.Xr ssh-keygen 1 . 1514.It Cm RhostsRSAAuthentication 1515Specifies whether to try rhosts based authentication with RSA host 1516authentication. 1517The argument must be | 1361(request a TTY when opening a login session). 1362This option mirrors the 1363.Fl t 1364and 1365.Fl T 1366flags for 1367.Xr ssh 1 . 1368.It Cm RevokedHostKeys --- 5 unchanged lines hidden (view full) --- 1374an OpenSSH Key Revocation List (KRL) as generated by 1375.Xr ssh-keygen 1 . 1376For more information on KRLs, see the KEY REVOCATION LISTS section in 1377.Xr ssh-keygen 1 . 1378.It Cm RhostsRSAAuthentication 1379Specifies whether to try rhosts based authentication with RSA host 1380authentication. 1381The argument must be |
1518.Dq yes | 1382.Cm yes |
1519or | 1383or |
1520.Dq no . 1521The default is 1522.Dq no . | 1384.Cm no 1385(the default). |
1523This option applies to protocol version 1 only and requires 1524.Xr ssh 1 1525to be setuid root. 1526.It Cm RSAAuthentication 1527Specifies whether to try RSA authentication. 1528The argument to this keyword must be | 1386This option applies to protocol version 1 only and requires 1387.Xr ssh 1 1388to be setuid root. 1389.It Cm RSAAuthentication 1390Specifies whether to try RSA authentication. 1391The argument to this keyword must be |
1529.Dq yes | 1392.Cm yes 1393(the default) |
1530or | 1394or |
1531.Dq no . | 1395.Cm no . |
1532RSA authentication will only be 1533attempted if the identity file exists, or an authentication agent is 1534running. | 1396RSA authentication will only be 1397attempted if the identity file exists, or an authentication agent is 1398running. |
1535The default is 1536.Dq yes . | |
1537Note that this option applies to protocol version 1 only. 1538.It Cm SendEnv 1539Specifies what variables from the local 1540.Xr environ 7 1541should be sent to the server. 1542The server must also support it, and the server must be configured to 1543accept these environment variables. 1544Note that the --- 66 unchanged lines hidden (view full) --- 1611If the socket file already exists and 1612.Cm StreamLocalBindUnlink 1613is not enabled, 1614.Nm ssh 1615will be unable to forward the port to the Unix-domain socket file. 1616This option is only used for port forwarding to a Unix-domain socket file. 1617.Pp 1618The argument must be | 1399Note that this option applies to protocol version 1 only. 1400.It Cm SendEnv 1401Specifies what variables from the local 1402.Xr environ 7 1403should be sent to the server. 1404The server must also support it, and the server must be configured to 1405accept these environment variables. 1406Note that the --- 66 unchanged lines hidden (view full) --- 1473If the socket file already exists and 1474.Cm StreamLocalBindUnlink 1475is not enabled, 1476.Nm ssh 1477will be unable to forward the port to the Unix-domain socket file. 1478This option is only used for port forwarding to a Unix-domain socket file. 1479.Pp 1480The argument must be |
1619.Dq yes | 1481.Cm yes |
1620or | 1482or |
1621.Dq no . 1622The default is 1623.Dq no . | 1483.Cm no 1484(the default). |
1624.It Cm StrictHostKeyChecking 1625If this flag is set to | 1485.It Cm StrictHostKeyChecking 1486If this flag is set to |
1626.Dq yes , | 1487.Cm yes , |
1627.Xr ssh 1 1628will never automatically add host keys to the 1629.Pa ~/.ssh/known_hosts 1630file, and refuses to connect to hosts whose host key has changed. 1631This provides maximum protection against trojan horse attacks, 1632though it can be annoying when the 1633.Pa /etc/ssh/ssh_known_hosts 1634file is poorly maintained or when connections to new hosts are 1635frequently made. 1636This option forces the user to manually 1637add all new hosts. 1638If this flag is set to | 1488.Xr ssh 1 1489will never automatically add host keys to the 1490.Pa ~/.ssh/known_hosts 1491file, and refuses to connect to hosts whose host key has changed. 1492This provides maximum protection against trojan horse attacks, 1493though it can be annoying when the 1494.Pa /etc/ssh/ssh_known_hosts 1495file is poorly maintained or when connections to new hosts are 1496frequently made. 1497This option forces the user to manually 1498add all new hosts. 1499If this flag is set to |
1639.Dq no , | 1500.Cm no , |
1640ssh will automatically add new host keys to the 1641user known hosts files. 1642If this flag is set to | 1501ssh will automatically add new host keys to the 1502user known hosts files. 1503If this flag is set to |
1643.Dq ask , | 1504.Cm ask 1505(the default), |
1644new host keys 1645will be added to the user known host files only after the user 1646has confirmed that is what they really want to do, and 1647ssh will refuse to connect to hosts whose host key has changed. 1648The host keys of 1649known hosts will be verified automatically in all cases. | 1506new host keys 1507will be added to the user known host files only after the user 1508has confirmed that is what they really want to do, and 1509ssh will refuse to connect to hosts whose host key has changed. 1510The host keys of 1511known hosts will be verified automatically in all cases. |
1650The argument must be 1651.Dq yes , 1652.Dq no , 1653or 1654.Dq ask . 1655The default is 1656.Dq ask . | |
1657.It Cm TCPKeepAlive 1658Specifies whether the system should send TCP keepalive messages to the 1659other side. 1660If they are sent, death of the connection or crash of one 1661of the machines will be properly noticed. 1662However, this means that 1663connections will die if the route is down temporarily, and some people 1664find it annoying. 1665.Pp 1666The default is | 1512.It Cm TCPKeepAlive 1513Specifies whether the system should send TCP keepalive messages to the 1514other side. 1515If they are sent, death of the connection or crash of one 1516of the machines will be properly noticed. 1517However, this means that 1518connections will die if the route is down temporarily, and some people 1519find it annoying. 1520.Pp 1521The default is |
1667.Dq yes | 1522.Cm yes |
1668(to send TCP keepalive messages), and the client will notice 1669if the network goes down or the remote host dies. 1670This is important in scripts, and many users want it too. 1671.Pp 1672To disable TCP keepalive messages, the value should be set to | 1523(to send TCP keepalive messages), and the client will notice 1524if the network goes down or the remote host dies. 1525This is important in scripts, and many users want it too. 1526.Pp 1527To disable TCP keepalive messages, the value should be set to |
1673.Dq no . | 1528.Cm no . |
1674.It Cm Tunnel 1675Request 1676.Xr tun 4 1677device forwarding between the client and the server. 1678The argument must be | 1529.It Cm Tunnel 1530Request 1531.Xr tun 4 1532device forwarding between the client and the server. 1533The argument must be |
1679.Dq yes , 1680.Dq point-to-point | 1534.Cm yes , 1535.Cm point-to-point |
1681(layer 3), | 1536(layer 3), |
1682.Dq ethernet | 1537.Cm ethernet |
1683(layer 2), 1684or | 1538(layer 2), 1539or |
1685.Dq no . | 1540.Cm no 1541(the default). |
1686Specifying | 1542Specifying |
1687.Dq yes | 1543.Cm yes |
1688requests the default tunnel mode, which is | 1544requests the default tunnel mode, which is |
1689.Dq point-to-point . 1690The default is 1691.Dq no . | 1545.Cm point-to-point . |
1692.It Cm TunnelDevice 1693Specifies the 1694.Xr tun 4 1695devices to open on the client 1696.Pq Ar local_tun 1697and the server 1698.Pq Ar remote_tun . 1699.Pp 1700The argument must be 1701.Sm off 1702.Ar local_tun Op : Ar remote_tun . 1703.Sm on 1704The devices may be specified by numerical ID or the keyword | 1546.It Cm TunnelDevice 1547Specifies the 1548.Xr tun 4 1549devices to open on the client 1550.Pq Ar local_tun 1551and the server 1552.Pq Ar remote_tun . 1553.Pp 1554The argument must be 1555.Sm off 1556.Ar local_tun Op : Ar remote_tun . 1557.Sm on 1558The devices may be specified by numerical ID or the keyword |
1705.Dq any , | 1559.Cm any , |
1706which uses the next available tunnel device. 1707If 1708.Ar remote_tun 1709is not specified, it defaults to | 1560which uses the next available tunnel device. 1561If 1562.Ar remote_tun 1563is not specified, it defaults to |
1710.Dq any . | 1564.Cm any . |
1711The default is | 1565The default is |
1712.Dq any:any . | 1566.Cm any:any . |
1713.It Cm UpdateHostKeys 1714Specifies whether 1715.Xr ssh 1 1716should accept notifications of additional hostkeys from the server sent 1717after authentication has completed and add them to 1718.Cm UserKnownHostsFile . 1719The argument must be | 1567.It Cm UpdateHostKeys 1568Specifies whether 1569.Xr ssh 1 1570should accept notifications of additional hostkeys from the server sent 1571after authentication has completed and add them to 1572.Cm UserKnownHostsFile . 1573The argument must be |
1720.Dq yes , 1721.Dq no | 1574.Cm yes , 1575.Cm no |
1722(the default) or | 1576(the default) or |
1723.Dq ask . | 1577.Cm ask . |
1724Enabling this option allows learning alternate hostkeys for a server 1725and supports graceful key rotation by allowing a server to send replacement 1726public keys before old ones are removed. 1727Additional hostkeys are only accepted if the key used to authenticate the 1728host was already trusted or explicitly accepted by the user. 1729If 1730.Cm UpdateHostKeys 1731is set to | 1578Enabling this option allows learning alternate hostkeys for a server 1579and supports graceful key rotation by allowing a server to send replacement 1580public keys before old ones are removed. 1581Additional hostkeys are only accepted if the key used to authenticate the 1582host was already trusted or explicitly accepted by the user. 1583If 1584.Cm UpdateHostKeys 1585is set to |
1732.Dq ask , | 1586.Cm ask , |
1733then the user is asked to confirm the modifications to the known_hosts file. 1734Confirmation is currently incompatible with 1735.Cm ControlPersist , 1736and will be disabled if it is enabled. 1737.Pp 1738Presently, only 1739.Xr sshd 8 1740from OpenSSH 6.8 and greater support the | 1587then the user is asked to confirm the modifications to the known_hosts file. 1588Confirmation is currently incompatible with 1589.Cm ControlPersist , 1590and will be disabled if it is enabled. 1591.Pp 1592Presently, only 1593.Xr sshd 8 1594from OpenSSH 6.8 and greater support the |
1741.Dq hostkeys@openssh.com | 1595.Qq hostkeys@openssh.com |
1742protocol extension used to inform the client of all the server's hostkeys. 1743.It Cm UsePrivilegedPort 1744Specifies whether to use a privileged port for outgoing connections. 1745The argument must be | 1596protocol extension used to inform the client of all the server's hostkeys. 1597.It Cm UsePrivilegedPort 1598Specifies whether to use a privileged port for outgoing connections. 1599The argument must be |
1746.Dq yes | 1600.Cm yes |
1747or | 1601or |
1748.Dq no . 1749The default is 1750.Dq no . | 1602.Cm no 1603(the default). |
1751If set to | 1604If set to |
1752.Dq yes , | 1605.Cm yes , |
1753.Xr ssh 1 1754must be setuid root. 1755Note that this option must be set to | 1606.Xr ssh 1 1607must be setuid root. 1608Note that this option must be set to |
1756.Dq yes | 1609.Cm yes |
1757for 1758.Cm RhostsRSAAuthentication 1759with older servers. 1760.It Cm User 1761Specifies the user to log in as. 1762This can be useful when a different user name is used on different machines. 1763This saves the trouble of 1764having to remember to give the user name on the command line. 1765.It Cm UserKnownHostsFile 1766Specifies one or more files to use for the user 1767host key database, separated by whitespace. 1768The default is 1769.Pa ~/.ssh/known_hosts , 1770.Pa ~/.ssh/known_hosts2 . 1771.It Cm VerifyHostKeyDNS 1772Specifies whether to verify the remote key using DNS and SSHFP resource 1773records. 1774If this option is set to | 1610for 1611.Cm RhostsRSAAuthentication 1612with older servers. 1613.It Cm User 1614Specifies the user to log in as. 1615This can be useful when a different user name is used on different machines. 1616This saves the trouble of 1617having to remember to give the user name on the command line. 1618.It Cm UserKnownHostsFile 1619Specifies one or more files to use for the user 1620host key database, separated by whitespace. 1621The default is 1622.Pa ~/.ssh/known_hosts , 1623.Pa ~/.ssh/known_hosts2 . 1624.It Cm VerifyHostKeyDNS 1625Specifies whether to verify the remote key using DNS and SSHFP resource 1626records. 1627If this option is set to |
1775.Dq yes , | 1628.Cm yes , |
1776the client will implicitly trust keys that match a secure fingerprint 1777from DNS. 1778Insecure fingerprints will be handled as if this option was set to | 1629the client will implicitly trust keys that match a secure fingerprint 1630from DNS. 1631Insecure fingerprints will be handled as if this option was set to |
1779.Dq ask . | 1632.Cm ask . |
1780If this option is set to | 1633If this option is set to |
1781.Dq ask , | 1634.Cm ask , |
1782information on fingerprint match will be displayed, but the user will still 1783need to confirm new host keys according to the 1784.Cm StrictHostKeyChecking 1785option. | 1635information on fingerprint match will be displayed, but the user will still 1636need to confirm new host keys according to the 1637.Cm StrictHostKeyChecking 1638option. |
1786The argument must be 1787.Dq yes , 1788.Dq no , 1789or 1790.Dq ask . | |
1791The default is | 1639The default is |
1792.Dq yes | 1640.Cm yes |
1793if compiled with LDNS and | 1641if compiled with LDNS and |
1794.Dq no | 1642.Cm no |
1795otherwise. 1796.Pp | 1643otherwise. 1644.Pp |
1797See also VERIFYING HOST KEYS in | 1645See also 1646.Sx VERIFYING HOST KEYS 1647in |
1798.Xr ssh 1 . 1799.It Cm VersionAddendum 1800Specifies a string to append to the regular version string to identify 1801OS- or site-specific modifications. 1802The default is 1803.Dq FreeBSD-20170902 . 1804The value | 1648.Xr ssh 1 . 1649.It Cm VersionAddendum 1650Specifies a string to append to the regular version string to identify 1651OS- or site-specific modifications. 1652The default is 1653.Dq FreeBSD-20170902 . 1654The value |
1805.Dq none | 1655.Cm none |
1806may be used to disable this. 1807.It Cm VisualHostKey 1808If this flag is set to | 1656may be used to disable this. 1657.It Cm VisualHostKey 1658If this flag is set to |
1809.Dq yes , | 1659.Cm yes , |
1810an ASCII art representation of the remote host key fingerprint is 1811printed in addition to the fingerprint string at login and 1812for unknown host keys. 1813If this flag is set to | 1660an ASCII art representation of the remote host key fingerprint is 1661printed in addition to the fingerprint string at login and 1662for unknown host keys. 1663If this flag is set to |
1814.Dq no , | 1664.Cm no 1665(the default), |
1815no fingerprint strings are printed at login and 1816only the fingerprint string will be printed for unknown host keys. | 1666no fingerprint strings are printed at login and 1667only the fingerprint string will be printed for unknown host keys. |
1817The default is 1818.Dq no . | |
1819.It Cm XAuthLocation 1820Specifies the full pathname of the 1821.Xr xauth 1 1822program. 1823The default is 1824.Pa /usr/local/bin/xauth . 1825.El 1826.Sh PATTERNS 1827A 1828.Em pattern 1829consists of zero or more non-whitespace characters, 1830.Sq * 1831(a wildcard that matches zero or more characters), 1832or 1833.Sq ?\& 1834(a wildcard that matches exactly one character). 1835For example, to specify a set of declarations for any host in the | 1668.It Cm XAuthLocation 1669Specifies the full pathname of the 1670.Xr xauth 1 1671program. 1672The default is 1673.Pa /usr/local/bin/xauth . 1674.El 1675.Sh PATTERNS 1676A 1677.Em pattern 1678consists of zero or more non-whitespace characters, 1679.Sq * 1680(a wildcard that matches zero or more characters), 1681or 1682.Sq ?\& 1683(a wildcard that matches exactly one character). 1684For example, to specify a set of declarations for any host in the |
1836.Dq .co.uk | 1685.Qq .co.uk |
1837set of domains, 1838the following pattern could be used: 1839.Pp 1840.Dl Host *.co.uk 1841.Pp 1842The following pattern 1843would match any host in the 192.168.0.[0-9] network range: 1844.Pp 1845.Dl Host 192.168.0.? 1846.Pp 1847A 1848.Em pattern-list 1849is a comma-separated list of patterns. 1850Patterns within pattern-lists may be negated 1851by preceding them with an exclamation mark 1852.Pq Sq !\& . 1853For example, 1854to allow a key to be used from anywhere within an organization 1855except from the | 1686set of domains, 1687the following pattern could be used: 1688.Pp 1689.Dl Host *.co.uk 1690.Pp 1691The following pattern 1692would match any host in the 192.168.0.[0-9] network range: 1693.Pp 1694.Dl Host 192.168.0.? 1695.Pp 1696A 1697.Em pattern-list 1698is a comma-separated list of patterns. 1699Patterns within pattern-lists may be negated 1700by preceding them with an exclamation mark 1701.Pq Sq !\& . 1702For example, 1703to allow a key to be used from anywhere within an organization 1704except from the |
1856.Dq dialup | 1705.Qq dialup |
1857pool, 1858the following entry (in authorized_keys) could be used: 1859.Pp 1860.Dl from=\&"!*.dialup.example.com,*.example.com\&" | 1706pool, 1707the following entry (in authorized_keys) could be used: 1708.Pp 1709.Dl from=\&"!*.dialup.example.com,*.example.com\&" |
1710.Sh TOKENS 1711Arguments to some keywords can make use of tokens, 1712which are expanded at runtime: 1713.Pp 1714.Bl -tag -width XXXX -offset indent -compact 1715.It %% 1716A literal 1717.Sq % . 1718.It \&%C 1719Shorthand for %l%h%p%r. 1720.It %d 1721Local user's home directory. 1722.It %h 1723The remote hostname. 1724.It %i 1725The local user ID. 1726.It %L 1727The local hostname. 1728.It %l 1729The local hostname, including the domain name. 1730.It %n 1731The original remote hostname, as given on the command line. 1732.It %p 1733The remote port. 1734.It %r 1735The remote username. 1736.It %u 1737The local username. 1738.El 1739.Pp 1740.Cm Match exec 1741accepts the tokens %%, %h, %L, %l, %n, %p, %r, and %u. 1742.Pp 1743.Cm CertificateFile 1744accepts the tokens %%, %d, %h, %l, %r, and %u. 1745.Pp 1746.Cm ControlPath 1747accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u. 1748.Pp 1749.Cm HostName 1750accepts the tokens %% and %h. 1751.Pp 1752.Cm IdentityAgent 1753and 1754.Cm IdentityFile 1755accept the tokens %%, %d, %h, %l, %r, and %u. 1756.Pp 1757.Cm LocalCommand 1758accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u. 1759.Pp 1760.Cm ProxyCommand 1761accepts the tokens %%, %h, %p, and %r. |
|
1861.Sh FILES 1862.Bl -tag -width Ds 1863.It Pa ~/.ssh/config 1864This is the per-user configuration file. 1865The format of this file is described above. 1866This file is used by the SSH client. 1867Because of the potential for abuse, this file must have strict permissions: 1868read/write for the user, and not accessible by others. 1869.It Pa /etc/ssh/ssh_config 1870Systemwide configuration file. 1871This file provides defaults for those 1872values that are not specified in the user's configuration file, and 1873for those users who do not have a configuration file. 1874This file must be world-readable. 1875.El 1876.Sh SEE ALSO 1877.Xr ssh 1 1878.Sh AUTHORS | 1762.Sh FILES 1763.Bl -tag -width Ds 1764.It Pa ~/.ssh/config 1765This is the per-user configuration file. 1766The format of this file is described above. 1767This file is used by the SSH client. 1768Because of the potential for abuse, this file must have strict permissions: 1769read/write for the user, and not accessible by others. 1770.It Pa /etc/ssh/ssh_config 1771Systemwide configuration file. 1772This file provides defaults for those 1773values that are not specified in the user's configuration file, and 1774for those users who do not have a configuration file. 1775This file must be world-readable. 1776.El 1777.Sh SEE ALSO 1778.Xr ssh 1 1779.Sh AUTHORS |
1780.An -nosplit |
|
1879OpenSSH is a derivative of the original and free | 1781OpenSSH is a derivative of the original and free |
1880ssh 1.2.12 release by Tatu Ylonen. 1881Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 1882Theo de Raadt and Dug Song | 1782ssh 1.2.12 release by 1783.An Tatu Ylonen . 1784.An Aaron Campbell , Bob Beck , Markus Friedl , 1785.An Niels Provos , Theo de Raadt 1786and 1787.An Dug Song |
1883removed many bugs, re-added newer features and 1884created OpenSSH. | 1788removed many bugs, re-added newer features and 1789created OpenSSH. |
1885Markus Friedl contributed the support for SSH 1886protocol versions 1.5 and 2.0. | 1790.An Markus Friedl 1791contributed the support for SSH protocol versions 1.5 and 2.0. |