ssh_config.5 (110692) | ssh_config.5 (113911) |
---|---|
1.\" -*- nroff -*- 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this --- 20 unchanged lines hidden (view full) --- 29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" | 1.\" -*- nroff -*- 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this --- 20 unchanged lines hidden (view full) --- 29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" |
37.\" $OpenBSD: ssh_config.5,v 1.5 2002/08/29 22:54:10 stevesk Exp $ 38.\" $FreeBSD: head/crypto/openssh/ssh_config.5 110692 2003-02-11 12:11:15Z des $ | 37.\" $OpenBSD: ssh_config.5,v 1.7 2003/03/28 10:11:43 jmc Exp $ 38.\" $FreeBSD: head/crypto/openssh/ssh_config.5 113911 2003-04-23 17:13:13Z des $ |
39.Dd September 25, 1999 40.Dt SSH_CONFIG 5 41.Os 42.Sh NAME 43.Nm ssh_config 44.Nd OpenSSH SSH client configuration files 45.Sh SYNOPSIS 46.Bl -tag -width Ds -compact --- 125 unchanged lines hidden (view full) --- 172.Dq des 173are supported. 174.Ar des 175is only supported in the 176.Nm ssh 177client for interoperability with legacy protocol 1 implementations 178that do not support the 179.Ar 3des | 39.Dd September 25, 1999 40.Dt SSH_CONFIG 5 41.Os 42.Sh NAME 43.Nm ssh_config 44.Nd OpenSSH SSH client configuration files 45.Sh SYNOPSIS 46.Bl -tag -width Ds -compact --- 125 unchanged lines hidden (view full) --- 172.Dq des 173are supported. 174.Ar des 175is only supported in the 176.Nm ssh 177client for interoperability with legacy protocol 1 implementations 178that do not support the 179.Ar 3des |
180cipher. Its use is strongly discouraged due to cryptographic 181weaknesses. | 180cipher. 181Its use is strongly discouraged due to cryptographic weaknesses. |
182The default is 183.Dq 3des . 184.It Cm Ciphers 185Specifies the ciphers allowed for protocol version 2 186in order of preference. 187Multiple ciphers must be comma-separated. 188The default is 189.Pp 190.Bd -literal 191 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 192 aes192-cbc,aes256-cbc'' 193.Ed 194.It Cm ClearAllForwardings 195Specifies that all local, remote and dynamic port forwardings 196specified in the configuration files or on the command line be | 182The default is 183.Dq 3des . 184.It Cm Ciphers 185Specifies the ciphers allowed for protocol version 2 186in order of preference. 187Multiple ciphers must be comma-separated. 188The default is 189.Pp 190.Bd -literal 191 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 192 aes192-cbc,aes256-cbc'' 193.Ed 194.It Cm ClearAllForwardings 195Specifies that all local, remote and dynamic port forwardings 196specified in the configuration files or on the command line be |
197cleared. This option is primarily useful when used from the | 197cleared. 198This option is primarily useful when used from the |
198.Nm ssh 199command line to clear port forwardings set in 200configuration files, and is automatically set by 201.Xr scp 1 202and 203.Xr sftp 1 . 204The argument must be 205.Dq yes --- 20 unchanged lines hidden (view full) --- 226Specifies the number of tries (one per second) to make before exiting. 227The argument must be an integer. 228This may be useful in scripts if the connection sometimes fails. 229The default is 1. 230.It Cm DynamicForward 231Specifies that a TCP/IP port on the local machine be forwarded 232over the secure channel, and the application 233protocol is then used to determine where to connect to from the | 199.Nm ssh 200command line to clear port forwardings set in 201configuration files, and is automatically set by 202.Xr scp 1 203and 204.Xr sftp 1 . 205The argument must be 206.Dq yes --- 20 unchanged lines hidden (view full) --- 227Specifies the number of tries (one per second) to make before exiting. 228The argument must be an integer. 229This may be useful in scripts if the connection sometimes fails. 230The default is 1. 231.It Cm DynamicForward 232Specifies that a TCP/IP port on the local machine be forwarded 233over the secure channel, and the application 234protocol is then used to determine where to connect to from the |
234remote machine. The argument must be a port number. | 235remote machine. 236The argument must be a port number. |
235Currently the SOCKS4 protocol is supported, and 236.Nm ssh 237will act as a SOCKS4 server. 238Multiple forwardings may be specified, and | 237Currently the SOCKS4 protocol is supported, and 238.Nm ssh 239will act as a SOCKS4 server. 240Multiple forwardings may be specified, and |
239additional forwardings can be given on the command line. Only 240the superuser can forward privileged ports. | 241additional forwardings can be given on the command line. 242Only the superuser can forward privileged ports. |
241.It Cm EscapeChar 242Sets the escape character (default: 243.Ql ~ ) . 244The escape character can also 245be set on the command line. 246The argument should be a single character, 247.Ql ^ 248followed by a letter, or --- 6 unchanged lines hidden (view full) --- 255will be forwarded to the remote machine. 256The argument must be 257.Dq yes 258or 259.Dq no . 260The default is 261.Dq no . 262.Pp | 243.It Cm EscapeChar 244Sets the escape character (default: 245.Ql ~ ) . 246The escape character can also 247be set on the command line. 248The argument should be a single character, 249.Ql ^ 250followed by a letter, or --- 6 unchanged lines hidden (view full) --- 257will be forwarded to the remote machine. 258The argument must be 259.Dq yes 260or 261.Dq no . 262The default is 263.Dq no . 264.Pp |
263Agent forwarding should be enabled with caution. Users with the 264ability to bypass file permissions on the remote host (for the agent's 265Unix-domain socket) can access the local agent through the forwarded 266connection. An attacker cannot obtain key material from the agent, | 265Agent forwarding should be enabled with caution. 266Users with the ability to bypass file permissions on the remote host 267(for the agent's Unix-domain socket) 268can access the local agent through the forwarded connection. 269An attacker cannot obtain key material from the agent, |
267however they can perform operations on the keys that enable them to 268authenticate using the identities loaded into the agent. 269.It Cm ForwardX11 270Specifies whether X11 connections will be automatically redirected 271over the secure channel and 272.Ev DISPLAY 273set. 274The argument must be 275.Dq yes 276or 277.Dq no . 278The default is 279.Dq no . 280.Pp | 270however they can perform operations on the keys that enable them to 271authenticate using the identities loaded into the agent. 272.It Cm ForwardX11 273Specifies whether X11 connections will be automatically redirected 274over the secure channel and 275.Ev DISPLAY 276set. 277The argument must be 278.Dq yes 279or 280.Dq no . 281The default is 282.Dq no . 283.Pp |
281X11 forwarding should be enabled with caution. Users with the ability 282to bypass file permissions on the remote host (for the user's X 283authorization database) can access the local X11 display through the 284forwarded connection. An attacker may then be able to perform 285activities such as keystroke monitoring. | 284X11 forwarding should be enabled with caution. 285Users with the ability to bypass file permissions on the remote host 286(for the user's X authorization database) 287can access the local X11 display through the forwarded connection. 288An attacker may then be able to perform activities such as keystroke monitoring. |
286.It Cm GatewayPorts 287Specifies whether remote hosts are allowed to connect to local 288forwarded ports. 289By default, 290.Nm ssh | 289.It Cm GatewayPorts 290Specifies whether remote hosts are allowed to connect to local 291forwarded ports. 292By default, 293.Nm ssh |
291binds local port forwardings to the loopback address. This 292prevents other remote hosts from connecting to forwarded ports. | 294binds local port forwardings to the loopback address. 295This prevents other remote hosts from connecting to forwarded ports. |
293.Cm GatewayPorts 294can be used to specify that 295.Nm ssh 296should bind local port forwardings to the wildcard address, 297thus allowing remote hosts to connect to forwarded ports. 298The argument must be 299.Dq yes 300or --- 90 unchanged lines hidden (view full) --- 391Multiple forwardings may be specified, and additional 392forwardings can be given on the command line. 393Only the superuser can forward privileged ports. 394.It Cm LogLevel 395Gives the verbosity level that is used when logging messages from 396.Nm ssh . 397The possible values are: 398QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. | 296.Cm GatewayPorts 297can be used to specify that 298.Nm ssh 299should bind local port forwardings to the wildcard address, 300thus allowing remote hosts to connect to forwarded ports. 301The argument must be 302.Dq yes 303or --- 90 unchanged lines hidden (view full) --- 394Multiple forwardings may be specified, and additional 395forwardings can be given on the command line. 396Only the superuser can forward privileged ports. 397.It Cm LogLevel 398Gives the verbosity level that is used when logging messages from 399.Nm ssh . 400The possible values are: 401QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. |
399The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 400and DEBUG3 each specify higher levels of verbose output. | 402The default is INFO. 403DEBUG and DEBUG1 are equivalent. 404DEBUG2 and DEBUG3 each specify higher levels of verbose output. |
401.It Cm MACs 402Specifies the MAC (message authentication code) algorithms 403in order of preference. 404The MAC algorithm is used in protocol version 2 405for data integrity protection. 406Multiple algorithms must be comma-separated. 407The default is 408.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . --- 61 unchanged lines hidden (view full) --- 470It should eventually connect an 471.Xr sshd 8 472server running on some machine, or execute 473.Ic sshd -i 474somewhere. 475Host key management will be done using the 476HostName of the host being connected (defaulting to the name typed by 477the user). | 405.It Cm MACs 406Specifies the MAC (message authentication code) algorithms 407in order of preference. 408The MAC algorithm is used in protocol version 2 409for data integrity protection. 410Multiple algorithms must be comma-separated. 411The default is 412.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . --- 61 unchanged lines hidden (view full) --- 474It should eventually connect an 475.Xr sshd 8 476server running on some machine, or execute 477.Ic sshd -i 478somewhere. 479Host key management will be done using the 480HostName of the host being connected (defaulting to the name typed by 481the user). |
482Setting the command to 483.Dq none 484disables this option entirely. |
|
478Note that 479.Cm CheckHostIP 480is not available for connects with a proxy command. 481.Pp 482.It Cm PubkeyAuthentication 483Specifies whether to try public key authentication. 484The argument to this keyword must be 485.Dq yes --- 125 unchanged lines hidden (view full) --- 611.It Cm UserKnownHostsFile 612Specifies a file to use for the user 613host key database instead of 614.Pa $HOME/.ssh/known_hosts . 615.It Cm VersionAddendum 616Specifies a string to append to the regular version string to identify 617OS- or site-specific modifications. 618The default is | 485Note that 486.Cm CheckHostIP 487is not available for connects with a proxy command. 488.Pp 489.It Cm PubkeyAuthentication 490Specifies whether to try public key authentication. 491The argument to this keyword must be 492.Dq yes --- 125 unchanged lines hidden (view full) --- 618.It Cm UserKnownHostsFile 619Specifies a file to use for the user 620host key database instead of 621.Pa $HOME/.ssh/known_hosts . 622.It Cm VersionAddendum 623Specifies a string to append to the regular version string to identify 624OS- or site-specific modifications. 625The default is |
619.Dq FreeBSD-20030201 . | 626.Dq FreeBSD-20030423 . |
620.It Cm XAuthLocation 621Specifies the full pathname of the 622.Xr xauth 1 623program. 624The default is 625.Pa /usr/X11R6/bin/xauth . 626.El 627.Sh FILES --- 28 unchanged lines hidden --- | 627.It Cm XAuthLocation 628Specifies the full pathname of the 629.Xr xauth 1 630program. 631The default is 632.Pa /usr/X11R6/bin/xauth . 633.El 634.Sh FILES --- 28 unchanged lines hidden --- |