| SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5) |
| |
| NAME |
| ssh_config M-bM-^@M-^S OpenSSH SSH client configuration files |
| |
| SYNOPSIS |
| ~/.ssh/config |
| /etc/ssh/ssh_config |
| |
| DESCRIPTION |
| ssh(1) obtains configuration data from the following sources in the |
| following order: |
| |
| 1. command-line options |
| 2. user's configuration file (~/.ssh/config) |
| 3. system-wide configuration file (/etc/ssh/ssh_config) |
| |
| For each parameter, the first obtained value will be used. The |
| configuration files contain sections separated by M-bM-^@M-^\HostM-bM-^@M-^] specifications, |
| and that section is only applied for hosts that match one of the patterns |
| given in the specification. The matched host name is usually the one |
| given on the command line (see the CanonicalizeHostname option for |
| exceptions.) |
| |
| Since the first obtained value for each parameter is used, more host- |
| specific declarations should be given near the beginning of the file, and |
| general defaults at the end. |
| |
| The configuration file has the following format: |
| |
| Empty lines and lines starting with M-bM-^@M-^X#M-bM-^@M-^Y are comments. Otherwise a line |
| is of the format M-bM-^@M-^\keyword argumentsM-bM-^@M-^]. Configuration options may be |
| separated by whitespace or optional whitespace and exactly one M-bM-^@M-^X=M-bM-^@M-^Y; the |
| latter format is useful to avoid the need to quote whitespace when |
| specifying configuration options using the ssh, scp, and sftp -o option. |
| Arguments may optionally be enclosed in double quotes (") in order to |
| represent arguments containing spaces. |
| |
| The possible keywords and their meanings are as follows (note that |
| keywords are case-insensitive and arguments are case-sensitive): |
| |
| Host Restricts the following declarations (up to the next Host or |
| Match keyword) to be only for those hosts that match one of the |
| patterns given after the keyword. If more than one pattern is |
| provided, they should be separated by whitespace. A single M-bM-^@M-^X*M-bM-^@M-^Y |
| as a pattern can be used to provide global defaults for all |
| hosts. The host is usually the hostname argument given on the |
| command line (see the CanonicalizeHostname option for |
| exceptions.) |
| |
| A pattern entry may be negated by prefixing it with an |
| exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). If a negated entry is matched, then the |
| Host entry is ignored, regardless of whether any other patterns |
| on the line match. Negated matches are therefore useful to |
| provide exceptions for wildcard matches. |
| |
| See PATTERNS for more information on patterns. |
| |
| Match Restricts the following declarations (up to the next Host or |
| Match keyword) to be used only when the conditions following the |
| Match keyword are satisfied. Match conditions are specified |
| using one or more criteria or the single token all which always |
| matches. The available criteria keywords are: canonical, exec, |
| host, originalhost, user, and localuser. The all criteria must |
| appear alone or immediately after canonical. Other criteria may |
| be combined arbitrarily. All criteria but all and canonical |
| require an argument. Criteria may be negated by prepending an |
| exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). |
| |
| The canonical keyword matches only when the configuration file is |
| being re-parsed after hostname canonicalization (see the |
| CanonicalizeHostname option.) This may be useful to specify |
| conditions that work with canonical host names only. The exec |
| keyword executes the specified command under the user's shell. |
| If the command returns a zero exit status then the condition is |
| considered true. Commands containing whitespace characters must |
| be quoted. The following character sequences in the command will |
| be expanded prior to execution: M-bM-^@M-^X%LM-bM-^@M-^Y will be substituted by the |
| first component of the local host name, M-bM-^@M-^X%lM-bM-^@M-^Y will be substituted |
| by the local host name (including any domain name), M-bM-^@M-^X%hM-bM-^@M-^Y will be |
| substituted by the target host name, M-bM-^@M-^X%nM-bM-^@M-^Y will be substituted by |
| the original target host name specified on the command-line, M-bM-^@M-^X%pM-bM-^@M-^Y |
| the destination port, M-bM-^@M-^X%rM-bM-^@M-^Y by the remote login username, and M-bM-^@M-^X%uM-bM-^@M-^Y |
| by the username of the user running ssh(1). |
| |
| The other keywords' criteria must be single entries or comma- |
| separated lists and may use the wildcard and negation operators |
| described in the PATTERNS section. The criteria for the host |
| keyword are matched against the target hostname, after any |
| substitution by the Hostname or CanonicalizeHostname options. |
| The originalhost keyword matches against the hostname as it was |
| specified on the command-line. The user keyword matches against |
| the target username on the remote host. The localuser keyword |
| matches against the name of the local user running ssh(1) (this |
| keyword may be useful in system-wide ssh_config files). |
| |
| AddKeysToAgent |
| Specifies whether keys should be automatically added to a running |
| ssh-agent(1). If this option is set to M-bM-^@M-^\yesM-bM-^@M-^] and a key is loaded |
| from a file, the key and its passphrase are added to the agent |
| with the default lifetime, as if by ssh-add(1). If this option |
| is set to M-bM-^@M-^\askM-bM-^@M-^], ssh will require confirmation using the |
| SSH_ASKPASS program before adding a key (see ssh-add(1) for |
| details). If this option is set to M-bM-^@M-^\confirmM-bM-^@M-^], each use of the |
| key must be confirmed, as if the -c option was specified to |
| ssh-add(1). If this option is set to M-bM-^@M-^\noM-bM-^@M-^], no keys are added to |
| the agent. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\confirmM-bM-^@M-^], M-bM-^@M-^\askM-bM-^@M-^], or |
| M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| AddressFamily |
| Specifies which address family to use when connecting. Valid |
| arguments are M-bM-^@M-^\anyM-bM-^@M-^], M-bM-^@M-^\inetM-bM-^@M-^] (use IPv4 only), or M-bM-^@M-^\inet6M-bM-^@M-^] (use IPv6 |
| only). The default is M-bM-^@M-^\anyM-bM-^@M-^]. |
| |
| BatchMode |
| If set to M-bM-^@M-^\yesM-bM-^@M-^], passphrase/password querying will be disabled. |
| This option is useful in scripts and other batch jobs where no |
| user is present to supply the password. The argument must be |
| M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| BindAddress |
| Use the specified address on the local machine as the source |
| address of the connection. Only useful on systems with more than |
| one address. Note that this option does not work if |
| UsePrivilegedPort is set to M-bM-^@M-^\yesM-bM-^@M-^]. |
| |
| CanonicalDomains |
| When CanonicalizeHostname is enabled, this option specifies the |
| list of domain suffixes in which to search for the specified |
| destination host. |
| |
| CanonicalizeFallbackLocal |
| Specifies whether to fail with an error when hostname |
| canonicalization fails. The default, M-bM-^@M-^\yesM-bM-^@M-^], will attempt to look |
| up the unqualified hostname using the system resolver's search |
| rules. A value of M-bM-^@M-^\noM-bM-^@M-^] will cause ssh(1) to fail instantly if |
| CanonicalizeHostname is enabled and the target hostname cannot be |
| found in any of the domains specified by CanonicalDomains. |
| |
| CanonicalizeHostname |
| Controls whether explicit hostname canonicalization is performed. |
| The default, M-bM-^@M-^\noM-bM-^@M-^], is not to perform any name rewriting and let |
| the system resolver handle all hostname lookups. If set to M-bM-^@M-^\yesM-bM-^@M-^] |
| then, for connections that do not use a ProxyCommand, ssh(1) will |
| attempt to canonicalize the hostname specified on the command |
| line using the CanonicalDomains suffixes and |
| CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is |
| set to M-bM-^@M-^\alwaysM-bM-^@M-^], then canonicalization is applied to proxied |
| connections too. |
| |
| If this option is enabled, then the configuration files are |
| processed again using the new target name to pick up any new |
| configuration in matching Host and Match stanzas. |
| |
| CanonicalizeMaxDots |
| Specifies the maximum number of dot characters in a hostname |
| before canonicalization is disabled. The default, M-bM-^@M-^\1M-bM-^@M-^], allows a |
| single dot (i.e. hostname.subdomain). |
| |
| CanonicalizePermittedCNAMEs |
| Specifies rules to determine whether CNAMEs should be followed |
| when canonicalizing hostnames. The rules consist of one or more |
| arguments of source_domain_list:target_domain_list, where |
| source_domain_list is a pattern-list of domains that may follow |
| CNAMEs in canonicalization, and target_domain_list is a pattern- |
| list of domains that they may resolve to. |
| |
| For example, M-bM-^@M-^\*.a.example.com:*.b.example.com,*.c.example.comM-bM-^@M-^] |
| will allow hostnames matching M-bM-^@M-^\*.a.example.comM-bM-^@M-^] to be |
| canonicalized to names in the M-bM-^@M-^\*.b.example.comM-bM-^@M-^] or |
| M-bM-^@M-^\*.c.example.comM-bM-^@M-^] domains. |
| |
| CertificateFile |
| Specifies a file from which the user's certificate is read. A |
| corresponding private key must be provided separately in order to |
| use this certificate either from an IdentityFile directive or -i |
| flag to ssh(1), via ssh-agent(1), or via a PKCS11Provider. |
| |
| The file name may use the tilde syntax to refer to a user's home |
| directory or one of the following escape characters: M-bM-^@M-^X%dM-bM-^@M-^Y (local |
| user's home directory), M-bM-^@M-^X%uM-bM-^@M-^Y (local user name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host |
| name), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host name) or M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name). |
| |
| It is possible to have multiple certificate files specified in |
| configuration files; these certificates will be tried in |
| sequence. Multiple CertificateFile directives will add to the |
| list of certificates used for authentication. |
| |
| ChallengeResponseAuthentication |
| Specifies whether to use challenge-response authentication. The |
| argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is |
| M-bM-^@M-^\yesM-bM-^@M-^]. |
| |
| CheckHostIP |
| If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will additionally check the |
| host IP address in the known_hosts file. This allows ssh to |
| detect if a host key changed due to DNS spoofing and will add |
| addresses of destination hosts to ~/.ssh/known_hosts in the |
| process, regardless of the setting of StrictHostKeyChecking. If |
| the option is set to M-bM-^@M-^\noM-bM-^@M-^], the check will not be executed. The |
| default is M-bM-^@M-^\yesM-bM-^@M-^]. |
| |
| Cipher Specifies the cipher to use for encrypting the session in |
| protocol version 1. Currently, M-bM-^@M-^\blowfishM-bM-^@M-^], M-bM-^@M-^\3desM-bM-^@M-^], and M-bM-^@M-^\desM-bM-^@M-^] are |
| supported. des is only supported in the ssh(1) client for |
| interoperability with legacy protocol 1 implementations that do |
| not support the 3des cipher. Its use is strongly discouraged due |
| to cryptographic weaknesses. The default is M-bM-^@M-^\3desM-bM-^@M-^]. |
| |
| Ciphers |
| Specifies the ciphers allowed for protocol version 2 in order of |
| preference. Multiple ciphers must be comma-separated. If the |
| specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified |
| ciphers will be appended to the default set instead of replacing |
| them. |
| |
| The supported ciphers are: |
| |
| 3des-cbc |
| aes128-cbc |
| aes192-cbc |
| aes256-cbc |
| aes128-ctr |
| aes192-ctr |
| aes256-ctr |
| aes128-gcm@openssh.com |
| aes256-gcm@openssh.com |
| arcfour |
| arcfour128 |
| arcfour256 |
| blowfish-cbc |
| cast128-cbc |
| chacha20-poly1305@openssh.com |
| |
| The default is: |
| |
| chacha20-poly1305@openssh.com, |
| aes128-ctr,aes192-ctr,aes256-ctr, |
| aes128-gcm@openssh.com,aes256-gcm@openssh.com, |
| aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc |
| |
| The list of available ciphers may also be obtained using the -Q |
| option of ssh(1) with an argument of M-bM-^@M-^\cipherM-bM-^@M-^]. |
| |
| ClearAllForwardings |
| Specifies that all local, remote, and dynamic port forwardings |
| specified in the configuration files or on the command line be |
| cleared. This option is primarily useful when used from the |
| ssh(1) command line to clear port forwardings set in |
| configuration files, and is automatically set by scp(1) and |
| sftp(1). The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is |
| M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| Compression |
| Specifies whether to use compression. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] |
| or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| CompressionLevel |
| Specifies the compression level to use if compression is enabled. |
| The argument must be an integer from 1 (fast) to 9 (slow, best). |
| The default level is 6, which is good for most applications. The |
| meaning of the values is the same as in gzip(1). Note that this |
| option applies to protocol version 1 only. |
| |
| ConnectionAttempts |
| Specifies the number of tries (one per second) to make before |
| exiting. The argument must be an integer. This may be useful in |
| scripts if the connection sometimes fails. The default is 1. |
| |
| ConnectTimeout |
| Specifies the timeout (in seconds) used when connecting to the |
| SSH server, instead of using the default system TCP timeout. |
| This value is used only when the target is down or really |
| unreachable, not when it refuses the connection. |
| |
| ControlMaster |
| Enables the sharing of multiple sessions over a single network |
| connection. When set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will listen for |
| connections on a control socket specified using the ControlPath |
| argument. Additional sessions can connect to this socket using |
| the same ControlPath with ControlMaster set to M-bM-^@M-^\noM-bM-^@M-^] (the |
| default). These sessions will try to reuse the master instance's |
| network connection rather than initiating new ones, but will fall |
| back to connecting normally if the control socket does not exist, |
| or is not listening. |
| |
| Setting this to M-bM-^@M-^\askM-bM-^@M-^] will cause ssh to listen for control |
| connections, but require confirmation using ssh-askpass(1). If |
| the ControlPath cannot be opened, ssh will continue without |
| connecting to a master instance. |
| |
| X11 and ssh-agent(1) forwarding is supported over these |
| multiplexed connections, however the display and agent forwarded |
| will be the one belonging to the master connection i.e. it is not |
| possible to forward multiple displays or agents. |
| |
| Two additional options allow for opportunistic multiplexing: try |
| to use a master connection but fall back to creating a new one if |
| one does not already exist. These options are: M-bM-^@M-^\autoM-bM-^@M-^] and |
| M-bM-^@M-^\autoaskM-bM-^@M-^]. The latter requires confirmation like the M-bM-^@M-^\askM-bM-^@M-^] |
| option. |
| |
| ControlPath |
| Specify the path to the control socket used for connection |
| sharing as described in the ControlMaster section above or the |
| string M-bM-^@M-^\noneM-bM-^@M-^] to disable connection sharing. In the path, M-bM-^@M-^X%LM-bM-^@M-^Y |
| will be substituted by the first component of the local host |
| name, M-bM-^@M-^X%lM-bM-^@M-^Y will be substituted by the local host name (including |
| any domain name), M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted by the target host |
| name, M-bM-^@M-^X%nM-bM-^@M-^Y will be substituted by the original target host name |
| specified on the command line, M-bM-^@M-^X%pM-bM-^@M-^Y the destination port, M-bM-^@M-^X%rM-bM-^@M-^Y by |
| the remote login username, M-bM-^@M-^X%uM-bM-^@M-^Y by the username and M-bM-^@M-^X%iM-bM-^@M-^Y by the |
| numeric user ID (uid) of the user running ssh(1), and M-bM-^@M-^X%CM-bM-^@M-^Y by a |
| hash of the concatenation: %l%h%p%r. It is recommended that any |
| ControlPath used for opportunistic connection sharing include at |
| least %h, %p, and %r (or alternatively %C) and be placed in a |
| directory that is not writable by other users. This ensures that |
| shared connections are uniquely identified. |
| |
| ControlPersist |
| When used in conjunction with ControlMaster, specifies that the |
| master connection should remain open in the background (waiting |
| for future client connections) after the initial client |
| connection has been closed. If set to M-bM-^@M-^\noM-bM-^@M-^], then the master |
| connection will not be placed into the background, and will close |
| as soon as the initial client connection is closed. If set to |
| M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\0M-bM-^@M-^], then the master connection will remain in the |
| background indefinitely (until killed or closed via a mechanism |
| such as the ssh(1) M-bM-^@M-^\-O exitM-bM-^@M-^] option). If set to a time in |
| seconds, or a time in any of the formats documented in |
| sshd_config(5), then the backgrounded master connection will |
| automatically terminate after it has remained idle (with no |
| client connections) for the specified time. |
| |
| DynamicForward |
| Specifies that a TCP port on the local machine be forwarded over |
| the secure channel, and the application protocol is then used to |
| determine where to connect to from the remote machine. |
| |
| The argument must be [bind_address:]port. IPv6 addresses can be |
| specified by enclosing addresses in square brackets. By default, |
| the local port is bound in accordance with the GatewayPorts |
| setting. However, an explicit bind_address may be used to bind |
| the connection to a specific address. The bind_address of |
| M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the listening port be bound for local |
| use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port |
| should be available from all interfaces. |
| |
| Currently the SOCKS4 and SOCKS5 protocols are supported, and |
| ssh(1) will act as a SOCKS server. Multiple forwardings may be |
| specified, and additional forwardings can be given on the command |
| line. Only the superuser can forward privileged ports. |
| |
| EnableSSHKeysign |
| Setting this option to M-bM-^@M-^\yesM-bM-^@M-^] in the global client configuration |
| file /etc/ssh/ssh_config enables the use of the helper program |
| ssh-keysign(8) during HostbasedAuthentication. The argument must |
| be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. This option should be |
| placed in the non-hostspecific section. See ssh-keysign(8) for |
| more information. |
| |
| EscapeChar |
| Sets the escape character (default: M-bM-^@M-^X~M-bM-^@M-^Y). The escape character |
| can also be set on the command line. The argument should be a |
| single character, M-bM-^@M-^X^M-bM-^@M-^Y followed by a letter, or M-bM-^@M-^\noneM-bM-^@M-^] to disable |
| the escape character entirely (making the connection transparent |
| for binary data). |
| |
| ExitOnForwardFailure |
| Specifies whether ssh(1) should terminate the connection if it |
| cannot set up all requested dynamic, tunnel, local, and remote |
| port forwardings, (e.g. if either end is unable to bind and |
| listen on a specified port). Note that ExitOnForwardFailure does |
| not apply to connections made over port forwardings and will not, |
| for example, cause ssh(1) to exit if TCP connections to the |
| ultimate forwarding destination fail. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] |
| or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| FingerprintHash |
| Specifies the hash algorithm used when displaying key |
| fingerprints. Valid options are: M-bM-^@M-^\md5M-bM-^@M-^] and M-bM-^@M-^\sha256M-bM-^@M-^]. The |
| default is M-bM-^@M-^\sha256M-bM-^@M-^]. |
| |
| ForwardAgent |
| Specifies whether the connection to the authentication agent (if |
| any) will be forwarded to the remote machine. The argument must |
| be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| Agent forwarding should be enabled with caution. Users with the |
| ability to bypass file permissions on the remote host (for the |
| agent's Unix-domain socket) can access the local agent through |
| the forwarded connection. An attacker cannot obtain key material |
| from the agent, however they can perform operations on the keys |
| that enable them to authenticate using the identities loaded into |
| the agent. |
| |
| ForwardX11 |
| Specifies whether X11 connections will be automatically |
| redirected over the secure channel and DISPLAY set. The argument |
| must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| X11 forwarding should be enabled with caution. Users with the |
| ability to bypass file permissions on the remote host (for the |
| user's X11 authorization database) can access the local X11 |
| display through the forwarded connection. An attacker may then |
| be able to perform activities such as keystroke monitoring if the |
| ForwardX11Trusted option is also enabled. |
| |
| ForwardX11Timeout |
| Specify a timeout for untrusted X11 forwarding using the format |
| described in the TIME FORMATS section of sshd_config(5). X11 |
| connections received by ssh(1) after this time will be refused. |
| The default is to disable untrusted X11 forwarding after twenty |
| minutes has elapsed. |
| |
| ForwardX11Trusted |
| If this option is set to M-bM-^@M-^\yesM-bM-^@M-^], remote X11 clients will have full |
| access to the original X11 display. |
| |
| If this option is set to M-bM-^@M-^\noM-bM-^@M-^], remote X11 clients will be |
| considered untrusted and prevented from stealing or tampering |
| with data belonging to trusted X11 clients. Furthermore, the |
| xauth(1) token used for the session will be set to expire after |
| 20 minutes. Remote clients will be refused access after this |
| time. |
| |
| The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| See the X11 SECURITY extension specification for full details on |
| the restrictions imposed on untrusted clients. |
| |
| GatewayPorts |
| Specifies whether remote hosts are allowed to connect to local |
| forwarded ports. By default, ssh(1) binds local port forwardings |
| to the loopback address. This prevents other remote hosts from |
| connecting to forwarded ports. GatewayPorts can be used to |
| specify that ssh should bind local port forwardings to the |
| wildcard address, thus allowing remote hosts to connect to |
| forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The |
| default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| GlobalKnownHostsFile |
| Specifies one or more files to use for the global host key |
| database, separated by whitespace. The default is |
| /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2. |
| |
| GSSAPIAuthentication |
| Specifies whether user authentication based on GSSAPI is allowed. |
| The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| GSSAPIDelegateCredentials |
| Forward (delegate) credentials to the server. The default is |
| M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| HashKnownHosts |
| Indicates that ssh(1) should hash host names and addresses when |
| they are added to ~/.ssh/known_hosts. These hashed names may be |
| used normally by ssh(1) and sshd(8), but they do not reveal |
| identifying information should the file's contents be disclosed. |
| The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that existing names and addresses in |
| known hosts files will not be converted automatically, but may be |
| manually hashed using ssh-keygen(1). |
| |
| HostbasedAuthentication |
| Specifies whether to try rhosts based authentication with public |
| key authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The |
| default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| HostbasedKeyTypes |
| Specifies the key types that will be used for hostbased |
| authentication as a comma-separated pattern list. Alternately if |
| the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the |
| specified key types will be appended to the default set instead |
| of replacing them. The default for this option is: |
| |
| ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| ssh-ed25519-cert-v01@openssh.com, |
| ssh-rsa-cert-v01@openssh.com, |
| ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| ssh-ed25519,ssh-rsa |
| |
| The -Q option of ssh(1) may be used to list supported key types. |
| |
| HostKeyAlgorithms |
| Specifies the host key algorithms that the client wants to use in |
| order of preference. Alternately if the specified value begins |
| with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified key types will be |
| appended to the default set instead of replacing them. The |
| default for this option is: |
| |
| ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| ssh-ed25519-cert-v01@openssh.com, |
| ssh-rsa-cert-v01@openssh.com, |
| ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| ssh-ed25519,ssh-rsa |
| |
| If hostkeys are known for the destination host then this default |
| is modified to prefer their algorithms. |
| |
| The list of available key types may also be obtained using the -Q |
| option of ssh(1) with an argument of M-bM-^@M-^\keyM-bM-^@M-^]. |
| |
| HostKeyAlias |
| Specifies an alias that should be used instead of the real host |
| name when looking up or saving the host key in the host key |
| database files. This option is useful for tunneling SSH |
| connections or for multiple servers running on a single host. |
| |
| HostName |
| Specifies the real host name to log into. This can be used to |
| specify nicknames or abbreviations for hosts. If the hostname |
| contains the character sequence M-bM-^@M-^X%hM-bM-^@M-^Y, then this will be replaced |
| with the host name specified on the command line (this is useful |
| for manipulating unqualified names). The character sequence M-bM-^@M-^X%%M-bM-^@M-^Y |
| will be replaced by a single M-bM-^@M-^X%M-bM-^@M-^Y character, which may be used |
| when specifying IPv6 link-local addresses. |
| |
| The default is the name given on the command line. Numeric IP |
| addresses are also permitted (both on the command line and in |
| HostName specifications). |
| |
| IdentitiesOnly |
| Specifies that ssh(1) should only use the authentication identity |
| and certificate files explicitly configured in the ssh_config |
| files or passed on the ssh(1) command-line, even if ssh-agent(1) |
| or a PKCS11Provider offers more identities. The argument to this |
| keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. This option is intended for |
| situations where ssh-agent offers many different identities. The |
| default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| IdentityAgent |
| Specifies the UNIX-domain socket used to communicate with the |
| authentication agent. |
| |
| This option overrides the M-bM-^@M-^\SSH_AUTH_SOCKM-bM-^@M-^] environment variable |
| and can be used to select a specific agent. Setting the socket |
| name to M-bM-^@M-^\noneM-bM-^@M-^] disables the use of an authentication agent. If |
| the string M-bM-^@M-^\SSH_AUTH_SOCKM-bM-^@M-^] is specified, the location of the |
| socket will be read from the SSH_AUTH_SOCK environment variable. |
| |
| The socket name may use the tilde syntax to refer to a user's |
| home directory or one of the following escape characters: M-bM-^@M-^X%dM-bM-^@M-^Y |
| (local user's home directory), M-bM-^@M-^X%uM-bM-^@M-^Y (local user name), M-bM-^@M-^X%lM-bM-^@M-^Y |
| (local host name), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host name) or M-bM-^@M-^X%rM-bM-^@M-^Y (remote user |
| name). |
| |
| IdentityFile |
| Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA |
| authentication identity is read. The default is ~/.ssh/identity |
| for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, |
| ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2. |
| Additionally, any identities represented by the authentication |
| agent will be used for authentication unless IdentitiesOnly is |
| set. If no certificates have been explicitly specified by |
| CertificateFile, ssh(1) will try to load certificate information |
| from the filename obtained by appending -cert.pub to the path of |
| a specified IdentityFile. |
| |
| The file name may use the tilde syntax to refer to a user's home |
| directory or one of the following escape characters: M-bM-^@M-^X%dM-bM-^@M-^Y (local |
| user's home directory), M-bM-^@M-^X%uM-bM-^@M-^Y (local user name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host |
| name), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host name) or M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name). |
| |
| It is possible to have multiple identity files specified in |
| configuration files; all these identities will be tried in |
| sequence. Multiple IdentityFile directives will add to the list |
| of identities tried (this behaviour differs from that of other |
| configuration directives). |
| |
| IdentityFile may be used in conjunction with IdentitiesOnly to |
| select which identities in an agent are offered during |
| authentication. IdentityFile may also be used in conjunction |
| with CertificateFile in order to provide any certificate also |
| needed for authentication with the identity. |
| |
| IgnoreUnknown |
| Specifies a pattern-list of unknown options to be ignored if they |
| are encountered in configuration parsing. This may be used to |
| suppress errors if ssh_config contains options that are |
| unrecognised by ssh(1). It is recommended that IgnoreUnknown be |
| listed early in the configuration file as it will not be applied |
| to unknown options that appear before it. |
| |
| Include |
| Include the specified configuration file(s). Multiple pathnames |
| may be specified and each pathname may contain glob(3) wildcards |
| and, for user configurations, shell-like M-bM-^@M-^\~M-bM-^@M-^] references to user |
| home directories. Files without absolute paths are assumed to be |
| in ~/.ssh if included in a user configuration file or /etc/ssh if |
| included from the system configuration file. Include directive |
| may appear inside a Match or Host block to perform conditional |
| inclusion. |
| |
| IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. |
| Accepted values are M-bM-^@M-^\af11M-bM-^@M-^], M-bM-^@M-^\af12M-bM-^@M-^], M-bM-^@M-^\af13M-bM-^@M-^], M-bM-^@M-^\af21M-bM-^@M-^], M-bM-^@M-^\af22M-bM-^@M-^], |
| M-bM-^@M-^\af23M-bM-^@M-^], M-bM-^@M-^\af31M-bM-^@M-^], M-bM-^@M-^\af32M-bM-^@M-^], M-bM-^@M-^\af33M-bM-^@M-^], M-bM-^@M-^\af41M-bM-^@M-^], M-bM-^@M-^\af42M-bM-^@M-^], M-bM-^@M-^\af43M-bM-^@M-^], M-bM-^@M-^\cs0M-bM-^@M-^], |
| M-bM-^@M-^\cs1M-bM-^@M-^], M-bM-^@M-^\cs2M-bM-^@M-^], M-bM-^@M-^\cs3M-bM-^@M-^], M-bM-^@M-^\cs4M-bM-^@M-^], M-bM-^@M-^\cs5M-bM-^@M-^], M-bM-^@M-^\cs6M-bM-^@M-^], M-bM-^@M-^\cs7M-bM-^@M-^], M-bM-^@M-^\efM-bM-^@M-^], |
| M-bM-^@M-^\lowdelayM-bM-^@M-^], M-bM-^@M-^\throughputM-bM-^@M-^], M-bM-^@M-^\reliabilityM-bM-^@M-^], or a numeric value. |
| This option may take one or two arguments, separated by |
| whitespace. If one argument is specified, it is used as the |
| packet class unconditionally. If two values are specified, the |
| first is automatically selected for interactive sessions and the |
| second for non-interactive sessions. The default is M-bM-^@M-^\lowdelayM-bM-^@M-^] |
| for interactive sessions and M-bM-^@M-^\throughputM-bM-^@M-^] for non-interactive |
| sessions. |
| |
| KbdInteractiveAuthentication |
| Specifies whether to use keyboard-interactive authentication. |
| The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default |
| is M-bM-^@M-^\yesM-bM-^@M-^]. |
| |
| KbdInteractiveDevices |
| Specifies the list of methods to use in keyboard-interactive |
| authentication. Multiple method names must be comma-separated. |
| The default is to use the server specified list. The methods |
| available vary depending on what the server supports. For an |
| OpenSSH server, it may be zero or more of: M-bM-^@M-^\bsdauthM-bM-^@M-^], M-bM-^@M-^\pamM-bM-^@M-^], and |
| M-bM-^@M-^\skeyM-bM-^@M-^]. |
| |
| KexAlgorithms |
| Specifies the available KEX (Key Exchange) algorithms. Multiple |
| algorithms must be comma-separated. Alternately if the specified |
| value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods |
| will be appended to the default set instead of replacing them. |
| The default is: |
| |
| curve25519-sha256@libssh.org, |
| ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
| diffie-hellman-group-exchange-sha256, |
| diffie-hellman-group-exchange-sha1, |
| diffie-hellman-group14-sha1 |
| |
| The list of available key exchange algorithms may also be |
| obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^]. |
| |
| LocalCommand |
| Specifies a command to execute on the local machine after |
| successfully connecting to the server. The command string |
| extends to the end of the line, and is executed with the user's |
| shell. The following escape character substitutions will be |
| performed: M-bM-^@M-^X%dM-bM-^@M-^Y (local user's home directory), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host |
| name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host name), M-bM-^@M-^X%nM-bM-^@M-^Y (host name as provided on the |
| command line), M-bM-^@M-^X%pM-bM-^@M-^Y (remote port), M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name) or |
| M-bM-^@M-^X%uM-bM-^@M-^Y (local user name) or M-bM-^@M-^X%CM-bM-^@M-^Y by a hash of the concatenation: |
| %l%h%p%r. |
| |
| The command is run synchronously and does not have access to the |
| session of the ssh(1) that spawned it. It should not be used for |
| interactive commands. |
| |
| This directive is ignored unless PermitLocalCommand has been |
| enabled. |
| |
| LocalForward |
| Specifies that a TCP port on the local machine be forwarded over |
| the secure channel to the specified host and port from the remote |
| machine. The first argument must be [bind_address:]port and the |
| second argument must be host:hostport. IPv6 addresses can be |
| specified by enclosing addresses in square brackets. Multiple |
| forwardings may be specified, and additional forwardings can be |
| given on the command line. Only the superuser can forward |
| privileged ports. By default, the local port is bound in |
| accordance with the GatewayPorts setting. However, an explicit |
| bind_address may be used to bind the connection to a specific |
| address. The bind_address of M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the |
| listening port be bound for local use only, while an empty |
| address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port should be available from |
| all interfaces. |
| |
| LogLevel |
| Gives the verbosity level that is used when logging messages from |
| ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, |
| VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. |
| DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify |
| higher levels of verbose output. |
| |
| MACs Specifies the MAC (message authentication code) algorithms in |
| order of preference. The MAC algorithm is used for data |
| integrity protection. Multiple algorithms must be comma- |
| separated. If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, |
| then the specified algorithms will be appended to the default set |
| instead of replacing them. |
| |
| The algorithms that contain M-bM-^@M-^\-etmM-bM-^@M-^] calculate the MAC after |
| encryption (encrypt-then-mac). These are considered safer and |
| their use recommended. |
| |
| The default is: |
| |
| umac-64-etm@openssh.com,umac-128-etm@openssh.com, |
| hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, |
| hmac-sha1-etm@openssh.com, |
| umac-64@openssh.com,umac-128@openssh.com, |
| hmac-sha2-256,hmac-sha2-512,hmac-sha1 |
| |
| The list of available MAC algorithms may also be obtained using |
| the -Q option of ssh(1) with an argument of M-bM-^@M-^\macM-bM-^@M-^]. |
| |
| NoHostAuthenticationForLocalhost |
| This option can be used if the home directory is shared across |
| machines. In this case localhost will refer to a different |
| machine on each of the machines and the user will get many |
| warnings about changed host keys. However, this option disables |
| host authentication for localhost. The argument to this keyword |
| must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is to check the host key for |
| localhost. |
| |
| NumberOfPasswordPrompts |
| Specifies the number of password prompts before giving up. The |
| argument to this keyword must be an integer. The default is 3. |
| |
| PasswordAuthentication |
| Specifies whether to use password authentication. The argument |
| to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
| |
| PermitLocalCommand |
| Allow local command execution via the LocalCommand option or |
| using the !command escape sequence in ssh(1). The argument must |
| be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| PKCS11Provider |
| Specifies which PKCS#11 provider to use. The argument to this |
| keyword is the PKCS#11 shared library ssh(1) should use to |
| communicate with a PKCS#11 token providing the user's private RSA |
| key. |
| |
| Port Specifies the port number to connect on the remote host. The |
| default is 22. |
| |
| PreferredAuthentications |
| Specifies the order in which the client should try authentication |
| methods. This allows a client to prefer one method (e.g. |
| keyboard-interactive) over another method (e.g. password). The |
| default is: |
| |
| gssapi-with-mic,hostbased,publickey, |
| keyboard-interactive,password |
| |
| Protocol |
| Specifies the protocol versions ssh(1) should support in order of |
| preference. The possible values are M-bM-^@M-^X1M-bM-^@M-^Y and M-bM-^@M-^X2M-bM-^@M-^Y. Multiple |
| versions must be comma-separated. When this option is set to |
| M-bM-^@M-^\2,1M-bM-^@M-^] ssh will try version 2 and fall back to version 1 if |
| version 2 is not available. The default is M-bM-^@M-^X2M-bM-^@M-^Y. Protocol 1 |
| suffers from a number of cryptographic weaknesses and should not |
| be used. It is only offered to support legacy devices. |
| |
| ProxyCommand |
| Specifies the command to use to connect to the server. The |
| command string extends to the end of the line, and is executed |
| using the user's shell M-bM-^@M-^XexecM-bM-^@M-^Y directive to avoid a lingering |
| shell process. |
| |
| In the command string, any occurrence of M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted |
| by the host name to connect, M-bM-^@M-^X%pM-bM-^@M-^Y by the port, and M-bM-^@M-^X%rM-bM-^@M-^Y by the |
| remote user name. The command can be basically anything, and |
| should read from its standard input and write to its standard |
| output. It should eventually connect an sshd(8) server running |
| on some machine, or execute sshd -i somewhere. Host key |
| management will be done using the HostName of the host being |
| connected (defaulting to the name typed by the user). Setting |
| the command to M-bM-^@M-^\noneM-bM-^@M-^] disables this option entirely. Note that |
| CheckHostIP is not available for connects with a proxy command. |
| |
| This directive is useful in conjunction with nc(1) and its proxy |
| support. For example, the following directive would connect via |
| an HTTP proxy at 192.0.2.0: |
| |
| ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p |
| |
| ProxyJump |
| Specifies one or more jump proxies as [user@]host[:port]. |
| Multiple proxies may be separated by comma characters and will be |
| visited sequentially. Setting this option will cause ssh(1) to |
| connect to the target host by first making a ssh(1) connection to |
| the specified ProxyJump host and then establishing a TCP |
| forwarding to the ultimate target from there. |
| |
| Note that this option will compete with the ProxyCommand option - |
| whichever is specified first will prevent later instances of the |
| other from taking effect. |
| |
| ProxyUseFdpass |
| Specifies that ProxyCommand will pass a connected file descriptor |
| back to ssh(1) instead of continuing to execute and pass data. |
| The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| PubkeyAcceptedKeyTypes |
| Specifies the key types that will be used for public key |
| authentication as a comma-separated pattern list. Alternately if |
| the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the key |
| types after it will be appended to the default instead of |
| replacing it. The default for this option is: |
| |
| ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| ssh-ed25519-cert-v01@openssh.com, |
| ssh-rsa-cert-v01@openssh.com, |
| ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| ssh-ed25519,ssh-rsa |
| |
| The -Q option of ssh(1) may be used to list supported key types. |
| |
| PubkeyAuthentication |
| Specifies whether to try public key authentication. The argument |
| to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. |
| |
| RekeyLimit |
| Specifies the maximum amount of data that may be transmitted |
| before the session key is renegotiated, optionally followed a |
| maximum amount of time that may pass before the session key is |
| renegotiated. The first argument is specified in bytes and may |
| have a suffix of M-bM-^@M-^XKM-bM-^@M-^Y, M-bM-^@M-^XMM-bM-^@M-^Y, or M-bM-^@M-^XGM-bM-^@M-^Y to indicate Kilobytes, |
| Megabytes, or Gigabytes, respectively. The default is between |
| M-bM-^@M-^X1GM-bM-^@M-^Y and M-bM-^@M-^X4GM-bM-^@M-^Y, depending on the cipher. The optional second |
| value is specified in seconds and may use any of the units |
| documented in the TIME FORMATS section of sshd_config(5). The |
| default value for RekeyLimit is M-bM-^@M-^\default noneM-bM-^@M-^], which means that |
| rekeying is performed after the cipher's default amount of data |
| has been sent or received and no time based rekeying is done. |
| |
| RemoteForward |
| Specifies that a TCP port on the remote machine be forwarded over |
| the secure channel to the specified host and port from the local |
| machine. The first argument must be [bind_address:]port and the |
| second argument must be host:hostport. IPv6 addresses can be |
| specified by enclosing addresses in square brackets. Multiple |
| forwardings may be specified, and additional forwardings can be |
| given on the command line. Privileged ports can be forwarded |
| only when logging in as root on the remote machine. |
| |
| If the port argument is M-bM-^@M-^X0M-bM-^@M-^Y, the listen port will be dynamically |
| allocated on the server and reported to the client at run time. |
| |
| If the bind_address is not specified, the default is to only bind |
| to loopback addresses. If the bind_address is M-bM-^@M-^X*M-bM-^@M-^Y or an empty |
| string, then the forwarding is requested to listen on all |
| interfaces. Specifying a remote bind_address will only succeed |
| if the server's GatewayPorts option is enabled (see |
| sshd_config(5)). |
| |
| RequestTTY |
| Specifies whether to request a pseudo-tty for the session. The |
| argument may be one of: M-bM-^@M-^\noM-bM-^@M-^] (never request a TTY), M-bM-^@M-^\yesM-bM-^@M-^] (always |
| request a TTY when standard input is a TTY), M-bM-^@M-^\forceM-bM-^@M-^] (always |
| request a TTY) or M-bM-^@M-^\autoM-bM-^@M-^] (request a TTY when opening a login |
| session). This option mirrors the -t and -T flags for ssh(1). |
| |
| RevokedHostKeys |
| Specifies revoked host public keys. Keys listed in this file |
| will be refused for host authentication. Note that if this file |
| does not exist or is not readable, then host authentication will |
| be refused for all hosts. Keys may be specified as a text file, |
| listing one public key per line, or as an OpenSSH Key Revocation |
| List (KRL) as generated by ssh-keygen(1). For more information |
| on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1). |
| |
| RhostsRSAAuthentication |
| Specifies whether to try rhosts based authentication with RSA |
| host authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The |
| default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only |
| and requires ssh(1) to be setuid root. |
| |
| RSAAuthentication |
| Specifies whether to try RSA authentication. The argument to |
| this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. RSA authentication will only |
| be attempted if the identity file exists, or an authentication |
| agent is running. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option |
| applies to protocol version 1 only. |
| |
| SendEnv |
| Specifies what variables from the local environ(7) should be sent |
| to the server. The server must also support it, and the server |
| must be configured to accept these environment variables. Note |
| that the TERM environment variable is always sent whenever a |
| pseudo-terminal is requested as it is required by the protocol. |
| Refer to AcceptEnv in sshd_config(5) for how to configure the |
| server. Variables are specified by name, which may contain |
| wildcard characters. Multiple environment variables may be |
| separated by whitespace or spread across multiple SendEnv |
| directives. The default is not to send any environment |
| variables. |
| |
| See PATTERNS for more information on patterns. |
| |
| ServerAliveCountMax |
| Sets the number of server alive messages (see below) which may be |
| sent without ssh(1) receiving any messages back from the server. |
| If this threshold is reached while server alive messages are |
| being sent, ssh will disconnect from the server, terminating the |
| session. It is important to note that the use of server alive |
| messages is very different from TCPKeepAlive (below). The server |
| alive messages are sent through the encrypted channel and |
| therefore will not be spoofable. The TCP keepalive option |
| enabled by TCPKeepAlive is spoofable. The server alive mechanism |
| is valuable when the client or server depend on knowing when a |
| connection has become inactive. |
| |
| The default value is 3. If, for example, ServerAliveInterval |
| (see below) is set to 15 and ServerAliveCountMax is left at the |
| default, if the server becomes unresponsive, ssh will disconnect |
| after approximately 45 seconds. |
| |
| ServerAliveInterval |
| Sets a timeout interval in seconds after which if no data has |
| been received from the server, ssh(1) will send a message through |
| the encrypted channel to request a response from the server. The |
| default is 0, indicating that these messages will not be sent to |
| the server. |
| |
| StreamLocalBindMask |
| Sets the octal file creation mode mask (umask) used when creating |
| a Unix-domain socket file for local or remote port forwarding. |
| This option is only used for port forwarding to a Unix-domain |
| socket file. |
| |
| The default value is 0177, which creates a Unix-domain socket |
| file that is readable and writable only by the owner. Note that |
| not all operating systems honor the file mode on Unix-domain |
| socket files. |
| |
| StreamLocalBindUnlink |
| Specifies whether to remove an existing Unix-domain socket file |
| for local or remote port forwarding before creating a new one. |
| If the socket file already exists and StreamLocalBindUnlink is |
| not enabled, ssh will be unable to forward the port to the Unix- |
| domain socket file. This option is only used for port forwarding |
| to a Unix-domain socket file. |
| |
| The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| StrictHostKeyChecking |
| If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) will never automatically add |
| host keys to the ~/.ssh/known_hosts file, and refuses to connect |
| to hosts whose host key has changed. This provides maximum |
| protection against trojan horse attacks, though it can be |
| annoying when the /etc/ssh/ssh_known_hosts file is poorly |
| maintained or when connections to new hosts are frequently made. |
| This option forces the user to manually add all new hosts. If |
| this flag is set to M-bM-^@M-^\noM-bM-^@M-^], ssh will automatically add new host |
| keys to the user known hosts files. If this flag is set to |
| M-bM-^@M-^\askM-bM-^@M-^], new host keys will be added to the user known host files |
| only after the user has confirmed that is what they really want |
| to do, and ssh will refuse to connect to hosts whose host key has |
| changed. The host keys of known hosts will be verified |
| automatically in all cases. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or |
| M-bM-^@M-^\askM-bM-^@M-^]. The default is M-bM-^@M-^\askM-bM-^@M-^]. |
| |
| TCPKeepAlive |
| Specifies whether the system should send TCP keepalive messages |
| to the other side. If they are sent, death of the connection or |
| crash of one of the machines will be properly noticed. However, |
| this means that connections will die if the route is down |
| temporarily, and some people find it annoying. |
| |
| The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send TCP keepalive messages), and the |
| client will notice if the network goes down or the remote host |
| dies. This is important in scripts, and many users want it too. |
| |
| To disable TCP keepalive messages, the value should be set to |
| M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| Tunnel Request tun(4) device forwarding between the client and the |
| server. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\point-to-pointM-bM-^@M-^] (layer 3), |
| M-bM-^@M-^\ethernetM-bM-^@M-^] (layer 2), or M-bM-^@M-^\noM-bM-^@M-^]. Specifying M-bM-^@M-^\yesM-bM-^@M-^] requests the |
| default tunnel mode, which is M-bM-^@M-^\point-to-pointM-bM-^@M-^]. The default is |
| M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| TunnelDevice |
| Specifies the tun(4) devices to open on the client (local_tun) |
| and the server (remote_tun). |
| |
| The argument must be local_tun[:remote_tun]. The devices may be |
| specified by numerical ID or the keyword M-bM-^@M-^\anyM-bM-^@M-^], which uses the |
| next available tunnel device. If remote_tun is not specified, it |
| defaults to M-bM-^@M-^\anyM-bM-^@M-^]. The default is M-bM-^@M-^\any:anyM-bM-^@M-^]. |
| |
| UpdateHostKeys |
| Specifies whether ssh(1) should accept notifications of |
| additional hostkeys from the server sent after authentication has |
| completed and add them to UserKnownHostsFile. The argument must |
| be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^] (the default) or M-bM-^@M-^\askM-bM-^@M-^]. Enabling this option |
| allows learning alternate hostkeys for a server and supports |
| graceful key rotation by allowing a server to send replacement |
| public keys before old ones are removed. Additional hostkeys are |
| only accepted if the key used to authenticate the host was |
| already trusted or explicitly accepted by the user. If |
| UpdateHostKeys is set to M-bM-^@M-^\askM-bM-^@M-^], then the user is asked to confirm |
| the modifications to the known_hosts file. Confirmation is |
| currently incompatible with ControlPersist, and will be disabled |
| if it is enabled. |
| |
| Presently, only sshd(8) from OpenSSH 6.8 and greater support the |
| M-bM-^@M-^\hostkeys@openssh.comM-bM-^@M-^] protocol extension used to inform the |
| client of all the server's hostkeys. |
| |
| UsePrivilegedPort |
| Specifies whether to use a privileged port for outgoing |
| connections. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is |
| M-bM-^@M-^\noM-bM-^@M-^]. If set to M-bM-^@M-^\yesM-bM-^@M-^], ssh(1) must be setuid root. Note that |
| this option must be set to M-bM-^@M-^\yesM-bM-^@M-^] for RhostsRSAAuthentication with |
| older servers. |
| |
| User Specifies the user to log in as. This can be useful when a |
| different user name is used on different machines. This saves |
| the trouble of having to remember to give the user name on the |
| command line. |
| |
| UserKnownHostsFile |
| Specifies one or more files to use for the user host key |
| database, separated by whitespace. The default is |
| ~/.ssh/known_hosts, ~/.ssh/known_hosts2. |
| |
| VerifyHostKeyDNS |
| Specifies whether to verify the remote key using DNS and SSHFP |
| resource records. If this option is set to M-bM-^@M-^\yesM-bM-^@M-^], the client |
| will implicitly trust keys that match a secure fingerprint from |
| DNS. Insecure fingerprints will be handled as if this option was |
| set to M-bM-^@M-^\askM-bM-^@M-^]. If this option is set to M-bM-^@M-^\askM-bM-^@M-^], information on |
| fingerprint match will be displayed, but the user will still need |
| to confirm new host keys according to the StrictHostKeyChecking |
| option. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or M-bM-^@M-^\askM-bM-^@M-^]. The default |
| is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| See also VERIFYING HOST KEYS in ssh(1). |
| |
| VisualHostKey |
| If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], an ASCII art representation of the |
| remote host key fingerprint is printed in addition to the |
| fingerprint string at login and for unknown host keys. If this |
| flag is set to M-bM-^@M-^\noM-bM-^@M-^], no fingerprint strings are printed at login |
| and only the fingerprint string will be printed for unknown host |
| keys. The default is M-bM-^@M-^\noM-bM-^@M-^]. |
| |
| XAuthLocation |
| Specifies the full pathname of the xauth(1) program. The default |
| is /usr/X11R6/bin/xauth. |
| |
| PATTERNS |
| A pattern consists of zero or more non-whitespace characters, M-bM-^@M-^X*M-bM-^@M-^Y (a |
| wildcard that matches zero or more characters), or M-bM-^@M-^X?M-bM-^@M-^Y (a wildcard that |
| matches exactly one character). For example, to specify a set of |
| declarations for any host in the M-bM-^@M-^\.co.ukM-bM-^@M-^] set of domains, the following |
| pattern could be used: |
| |
| Host *.co.uk |
| |
| The following pattern would match any host in the 192.168.0.[0-9] network |
| range: |
| |
| Host 192.168.0.? |
| |
| A pattern-list is a comma-separated list of patterns. Patterns within |
| pattern-lists may be negated by preceding them with an exclamation mark |
| (M-bM-^@M-^X!M-bM-^@M-^Y). For example, to allow a key to be used from anywhere within an |
| organization except from the M-bM-^@M-^\dialupM-bM-^@M-^] pool, the following entry (in |
| authorized_keys) could be used: |
| |
| from="!*.dialup.example.com,*.example.com" |
| |
| FILES |
| ~/.ssh/config |
| This is the per-user configuration file. The format of this file |
| is described above. This file is used by the SSH client. |
| Because of the potential for abuse, this file must have strict |
| permissions: read/write for the user, and not accessible by |
| others. |
| |
| /etc/ssh/ssh_config |
| Systemwide configuration file. This file provides defaults for |
| those values that are not specified in the user's configuration |
| file, and for those users who do not have a configuration file. |
| This file must be world-readable. |
| |
| SEE ALSO |
| ssh(1) |
| |
| AUTHORS |
| OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
| Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
| de Raadt and Dug Song removed many bugs, re-added newer features and |
| created OpenSSH. Markus Friedl contributed the support for SSH protocol |
| versions 1.5 and 2.0. |
| |
| OpenBSD 6.0 July 22, 2016 OpenBSD 6.0 |