diff options
Diffstat (limited to '')
-rw-r--r-- | ssh_config | 46 | ||||
-rw-r--r-- | ssh_config.0 | 1326 | ||||
-rw-r--r-- | ssh_config.5 | 2208 |
3 files changed, 3580 insertions, 0 deletions
diff --git a/ssh_config b/ssh_config new file mode 100644 index 0000000..842ea86 --- /dev/null +++ b/ssh_config @@ -0,0 +1,46 @@ +# $OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +# Host * +# ForwardAgent no +# ForwardX11 no +# PasswordAuthentication yes +# HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 +# Port 22 +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com +# RekeyLimit 1G 1h +# UserKnownHostsFile ~/.ssh/known_hosts.d/%k diff --git a/ssh_config.0 b/ssh_config.0 new file mode 100644 index 0000000..4960dad --- /dev/null +++ b/ssh_config.0 @@ -0,0 +1,1326 @@ +SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5) + +NAME + ssh_config M-bM-^@M-^S OpenSSH client configuration file + +DESCRIPTION + ssh(1) obtains configuration data from the following sources in the + following order: + + 1. command-line options + 2. user's configuration file (~/.ssh/config) + 3. system-wide configuration file (/etc/ssh/ssh_config) + + For each parameter, the first obtained value will be used. The + configuration files contain sections separated by Host specifications, + and that section is only applied for hosts that match one of the patterns + given in the specification. The matched host name is usually the one + given on the command line (see the CanonicalizeHostname option for + exceptions). + + Since the first obtained value for each parameter is used, more host- + specific declarations should be given near the beginning of the file, and + general defaults at the end. + + The file contains keyword-argument pairs, one per line. Lines starting + with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are interpreted as comments. Arguments may + optionally be enclosed in double quotes (") in order to represent + arguments containing spaces. Configuration options may be separated by + whitespace or optional whitespace and exactly one M-bM-^@M-^X=M-bM-^@M-^Y; the latter format + is useful to avoid the need to quote whitespace when specifying + configuration options using the ssh, scp, and sftp -o option. + + The possible keywords and their meanings are as follows (note that + keywords are case-insensitive and arguments are case-sensitive): + + Host Restricts the following declarations (up to the next Host or + Match keyword) to be only for those hosts that match one of the + patterns given after the keyword. If more than one pattern is + provided, they should be separated by whitespace. A single M-bM-^@M-^X*M-bM-^@M-^Y + as a pattern can be used to provide global defaults for all + hosts. The host is usually the hostname argument given on the + command line (see the CanonicalizeHostname keyword for + exceptions). + + A pattern entry may be negated by prefixing it with an + exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). If a negated entry is matched, then the + Host entry is ignored, regardless of whether any other patterns + on the line match. Negated matches are therefore useful to + provide exceptions for wildcard matches. + + See PATTERNS for more information on patterns. + + Match Restricts the following declarations (up to the next Host or + Match keyword) to be used only when the conditions following the + Match keyword are satisfied. Match conditions are specified + using one or more criteria or the single token all which always + matches. The available criteria keywords are: canonical, final, + exec, host, originalhost, user, and localuser. The all criteria + must appear alone or immediately after canonical or final. Other + criteria may be combined arbitrarily. All criteria but all, + canonical, and final require an argument. Criteria may be + negated by prepending an exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). + + The canonical keyword matches only when the configuration file is + being re-parsed after hostname canonicalization (see the + CanonicalizeHostname option). This may be useful to specify + conditions that work with canonical host names only. + + The final keyword requests that the configuration be re-parsed + (regardless of whether CanonicalizeHostname is enabled), and + matches only during this final pass. If CanonicalizeHostname is + enabled, then canonical and final match during the same pass. + + The exec keyword executes the specified command under the user's + shell. If the command returns a zero exit status then the + condition is considered true. Commands containing whitespace + characters must be quoted. Arguments to exec accept the tokens + described in the TOKENS section. + + The other keywords' criteria must be single entries or comma- + separated lists and may use the wildcard and negation operators + described in the PATTERNS section. The criteria for the host + keyword are matched against the target hostname, after any + substitution by the Hostname or CanonicalizeHostname options. + The originalhost keyword matches against the hostname as it was + specified on the command-line. The user keyword matches against + the target username on the remote host. The localuser keyword + matches against the name of the local user running ssh(1) (this + keyword may be useful in system-wide ssh_config files). + + AddKeysToAgent + Specifies whether keys should be automatically added to a running + ssh-agent(1). If this option is set to yes and a key is loaded + from a file, the key and its passphrase are added to the agent + with the default lifetime, as if by ssh-add(1). If this option + is set to ask, ssh(1) will require confirmation using the + SSH_ASKPASS program before adding a key (see ssh-add(1) for + details). If this option is set to confirm, each use of the key + must be confirmed, as if the -c option was specified to + ssh-add(1). If this option is set to no, no keys are added to + the agent. Alternately, this option may be specified as a time + interval using the format described in the TIME FORMATS section + of sshd_config(5) to specify the key's lifetime in ssh-agent(1), + after which it will automatically be removed. The argument must + be no (the default), yes, confirm (optionally followed by a time + interval), ask or a time interval. + + AddressFamily + Specifies which address family to use when connecting. Valid + arguments are any (the default), inet (use IPv4 only), or inet6 + (use IPv6 only). + + BatchMode + If set to yes, user interaction such as password prompts and host + key confirmation requests will be disabled. This option is + useful in scripts and other batch jobs where no user is present + to interact with ssh(1). The argument must be yes or no (the + default). + + BindAddress + Use the specified address on the local machine as the source + address of the connection. Only useful on systems with more than + one address. + + BindInterface + Use the address of the specified interface on the local machine + as the source address of the connection. + + CanonicalDomains + When CanonicalizeHostname is enabled, this option specifies the + list of domain suffixes in which to search for the specified + destination host. + + CanonicalizeFallbackLocal + Specifies whether to fail with an error when hostname + canonicalization fails. The default, yes, will attempt to look + up the unqualified hostname using the system resolver's search + rules. A value of no will cause ssh(1) to fail instantly if + CanonicalizeHostname is enabled and the target hostname cannot be + found in any of the domains specified by CanonicalDomains. + + CanonicalizeHostname + Controls whether explicit hostname canonicalization is performed. + The default, no, is not to perform any name rewriting and let the + system resolver handle all hostname lookups. If set to yes then, + for connections that do not use a ProxyCommand or ProxyJump, + ssh(1) will attempt to canonicalize the hostname specified on the + command line using the CanonicalDomains suffixes and + CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is + set to always, then canonicalization is applied to proxied + connections too. + + If this option is enabled, then the configuration files are + processed again using the new target name to pick up any new + configuration in matching Host and Match stanzas. A value of + none disables the use of a ProxyJump host. + + CanonicalizeMaxDots + Specifies the maximum number of dot characters in a hostname + before canonicalization is disabled. The default, 1, allows a + single dot (i.e. hostname.subdomain). + + CanonicalizePermittedCNAMEs + Specifies rules to determine whether CNAMEs should be followed + when canonicalizing hostnames. The rules consist of one or more + arguments of source_domain_list:target_domain_list, where + source_domain_list is a pattern-list of domains that may follow + CNAMEs in canonicalization, and target_domain_list is a pattern- + list of domains that they may resolve to. + + For example, "*.a.example.com:*.b.example.com,*.c.example.com" + will allow hostnames matching "*.a.example.com" to be + canonicalized to names in the "*.b.example.com" or + "*.c.example.com" domains. + + A single argument of "none" causes no CNAMEs to be considered for + canonicalization. This is the default behaviour. + + CASignatureAlgorithms + Specifies which algorithms are allowed for signing of + certificates by certificate authorities (CAs). The default is: + + ssh-ed25519,ecdsa-sha2-nistp256, + ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, + sk-ssh-ed25519@openssh.com, + sk-ecdsa-sha2-nistp256@openssh.com, + rsa-sha2-512,rsa-sha2-256 + + If the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the + specified algorithms will be appended to the default set instead + of replacing them. If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y + character, then the specified algorithms (including wildcards) + will be removed from the default set instead of replacing them. + + ssh(1) will not accept host certificates signed using algorithms + other than those specified. + + CertificateFile + Specifies a file from which the user's certificate is read. A + corresponding private key must be provided separately in order to + use this certificate either from an IdentityFile directive or -i + flag to ssh(1), via ssh-agent(1), or via a PKCS11Provider or + SecurityKeyProvider. + + Arguments to CertificateFile may use the tilde syntax to refer to + a user's home directory, the tokens described in the TOKENS + section and environment variables as described in the ENVIRONMENT + VARIABLES section. + + It is possible to have multiple certificate files specified in + configuration files; these certificates will be tried in + sequence. Multiple CertificateFile directives will add to the + list of certificates used for authentication. + + CheckHostIP + If set to yes, ssh(1) will additionally check the host IP address + in the known_hosts file. This allows it to detect if a host key + changed due to DNS spoofing and will add addresses of destination + hosts to ~/.ssh/known_hosts in the process, regardless of the + setting of StrictHostKeyChecking. If the option is set to no + (the default), the check will not be executed. + + Ciphers + Specifies the ciphers allowed and their order of preference. + Multiple ciphers must be comma-separated. If the specified list + begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified ciphers will be + appended to the default set instead of replacing them. If the + specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified + ciphers (including wildcards) will be removed from the default + set instead of replacing them. If the specified list begins with + a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified ciphers will be placed at the + head of the default set. + + The supported ciphers are: + + 3des-cbc + aes128-cbc + aes192-cbc + aes256-cbc + aes128-ctr + aes192-ctr + aes256-ctr + aes128-gcm@openssh.com + aes256-gcm@openssh.com + chacha20-poly1305@openssh.com + + The default is: + + chacha20-poly1305@openssh.com, + aes128-ctr,aes192-ctr,aes256-ctr, + aes128-gcm@openssh.com,aes256-gcm@openssh.com + + The list of available ciphers may also be obtained using "ssh -Q + cipher". + + ClearAllForwardings + Specifies that all local, remote, and dynamic port forwardings + specified in the configuration files or on the command line be + cleared. This option is primarily useful when used from the + ssh(1) command line to clear port forwardings set in + configuration files, and is automatically set by scp(1) and + sftp(1). The argument must be yes or no (the default). + + Compression + Specifies whether to use compression. The argument must be yes + or no (the default). + + ConnectionAttempts + Specifies the number of tries (one per second) to make before + exiting. The argument must be an integer. This may be useful in + scripts if the connection sometimes fails. The default is 1. + + ConnectTimeout + Specifies the timeout (in seconds) used when connecting to the + SSH server, instead of using the default system TCP timeout. + This timeout is applied both to establishing the connection and + to performing the initial SSH protocol handshake and key + exchange. + + ControlMaster + Enables the sharing of multiple sessions over a single network + connection. When set to yes, ssh(1) will listen for connections + on a control socket specified using the ControlPath argument. + Additional sessions can connect to this socket using the same + ControlPath with ControlMaster set to no (the default). These + sessions will try to reuse the master instance's network + connection rather than initiating new ones, but will fall back to + connecting normally if the control socket does not exist, or is + not listening. + + Setting this to ask will cause ssh(1) to listen for control + connections, but require confirmation using ssh-askpass(1). If + the ControlPath cannot be opened, ssh(1) will continue without + connecting to a master instance. + + X11 and ssh-agent(1) forwarding is supported over these + multiplexed connections, however the display and agent forwarded + will be the one belonging to the master connection i.e. it is not + possible to forward multiple displays or agents. + + Two additional options allow for opportunistic multiplexing: try + to use a master connection but fall back to creating a new one if + one does not already exist. These options are: auto and autoask. + The latter requires confirmation like the ask option. + + ControlPath + Specify the path to the control socket used for connection + sharing as described in the ControlMaster section above or the + string none to disable connection sharing. Arguments to + ControlPath may use the tilde syntax to refer to a user's home + directory, the tokens described in the TOKENS section and + environment variables as described in the ENVIRONMENT VARIABLES + section. It is recommended that any ControlPath used for + opportunistic connection sharing include at least %h, %p, and %r + (or alternatively %C) and be placed in a directory that is not + writable by other users. This ensures that shared connections + are uniquely identified. + + ControlPersist + When used in conjunction with ControlMaster, specifies that the + master connection should remain open in the background (waiting + for future client connections) after the initial client + connection has been closed. If set to no (the default), then the + master connection will not be placed into the background, and + will close as soon as the initial client connection is closed. + If set to yes or 0, then the master connection will remain in the + background indefinitely (until killed or closed via a mechanism + such as the "ssh -O exit"). If set to a time in seconds, or a + time in any of the formats documented in sshd_config(5), then the + backgrounded master connection will automatically terminate after + it has remained idle (with no client connections) for the + specified time. + + DynamicForward + Specifies that a TCP port on the local machine be forwarded over + the secure channel, and the application protocol is then used to + determine where to connect to from the remote machine. + + The argument must be [bind_address:]port. IPv6 addresses can be + specified by enclosing addresses in square brackets. By default, + the local port is bound in accordance with the GatewayPorts + setting. However, an explicit bind_address may be used to bind + the connection to a specific address. The bind_address of + localhost indicates that the listening port be bound for local + use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port + should be available from all interfaces. + + Currently the SOCKS4 and SOCKS5 protocols are supported, and + ssh(1) will act as a SOCKS server. Multiple forwardings may be + specified, and additional forwardings can be given on the command + line. Only the superuser can forward privileged ports. + + EnableEscapeCommandline + Enables the command line option in the EscapeChar menu for + interactive sessions (default M-bM-^@M-^X~CM-bM-^@M-^Y). By default, the command + line is disabled. + + EnableSSHKeysign + Setting this option to yes in the global client configuration + file /etc/ssh/ssh_config enables the use of the helper program + ssh-keysign(8) during HostbasedAuthentication. The argument must + be yes or no (the default). This option should be placed in the + non-hostspecific section. See ssh-keysign(8) for more + information. + + EscapeChar + Sets the escape character (default: M-bM-^@M-^X~M-bM-^@M-^Y). The escape character + can also be set on the command line. The argument should be a + single character, M-bM-^@M-^X^M-bM-^@M-^Y followed by a letter, or none to disable + the escape character entirely (making the connection transparent + for binary data). + + ExitOnForwardFailure + Specifies whether ssh(1) should terminate the connection if it + cannot set up all requested dynamic, tunnel, local, and remote + port forwardings, (e.g. if either end is unable to bind and + listen on a specified port). Note that ExitOnForwardFailure does + not apply to connections made over port forwardings and will not, + for example, cause ssh(1) to exit if TCP connections to the + ultimate forwarding destination fail. The argument must be yes + or no (the default). + + FingerprintHash + Specifies the hash algorithm used when displaying key + fingerprints. Valid options are: md5 and sha256 (the default). + + ForkAfterAuthentication + Requests ssh to go to background just before command execution. + This is useful if ssh is going to ask for passwords or + passphrases, but the user wants it in the background. This + implies the StdinNull configuration option being set to M-bM-^@M-^\yesM-bM-^@M-^]. + The recommended way to start X11 programs at a remote site is + with something like ssh -f host xterm, which is the same as ssh + host xterm if the ForkAfterAuthentication configuration option is + set to M-bM-^@M-^\yesM-bM-^@M-^]. + + If the ExitOnForwardFailure configuration option is set to M-bM-^@M-^\yesM-bM-^@M-^], + then a client started with the ForkAfterAuthentication + configuration option being set to M-bM-^@M-^\yesM-bM-^@M-^] will wait for all remote + port forwards to be successfully established before placing + itself in the background. The argument to this keyword must be + yes (same as the -f option) or no (the default). + + ForwardAgent + Specifies whether the connection to the authentication agent (if + any) will be forwarded to the remote machine. The argument may + be yes, no (the default), an explicit path to an agent socket or + the name of an environment variable (beginning with M-bM-^@M-^X$M-bM-^@M-^Y) in which + to find the path. + + Agent forwarding should be enabled with caution. Users with the + ability to bypass file permissions on the remote host (for the + agent's Unix-domain socket) can access the local agent through + the forwarded connection. An attacker cannot obtain key material + from the agent, however they can perform operations on the keys + that enable them to authenticate using the identities loaded into + the agent. + + ForwardX11 + Specifies whether X11 connections will be automatically + redirected over the secure channel and DISPLAY set. The argument + must be yes or no (the default). + + X11 forwarding should be enabled with caution. Users with the + ability to bypass file permissions on the remote host (for the + user's X11 authorization database) can access the local X11 + display through the forwarded connection. An attacker may then + be able to perform activities such as keystroke monitoring if the + ForwardX11Trusted option is also enabled. + + ForwardX11Timeout + Specify a timeout for untrusted X11 forwarding using the format + described in the TIME FORMATS section of sshd_config(5). X11 + connections received by ssh(1) after this time will be refused. + Setting ForwardX11Timeout to zero will disable the timeout and + permit X11 forwarding for the life of the connection. The + default is to disable untrusted X11 forwarding after twenty + minutes has elapsed. + + ForwardX11Trusted + If this option is set to yes, remote X11 clients will have full + access to the original X11 display. + + If this option is set to no (the default), remote X11 clients + will be considered untrusted and prevented from stealing or + tampering with data belonging to trusted X11 clients. + Furthermore, the xauth(1) token used for the session will be set + to expire after 20 minutes. Remote clients will be refused + access after this time. + + See the X11 SECURITY extension specification for full details on + the restrictions imposed on untrusted clients. + + GatewayPorts + Specifies whether remote hosts are allowed to connect to local + forwarded ports. By default, ssh(1) binds local port forwardings + to the loopback address. This prevents other remote hosts from + connecting to forwarded ports. GatewayPorts can be used to + specify that ssh should bind local port forwardings to the + wildcard address, thus allowing remote hosts to connect to + forwarded ports. The argument must be yes or no (the default). + + GlobalKnownHostsFile + Specifies one or more files to use for the global host key + database, separated by whitespace. The default is + /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2. + + GSSAPIAuthentication + Specifies whether user authentication based on GSSAPI is allowed. + The default is no. + + GSSAPIDelegateCredentials + Forward (delegate) credentials to the server. The default is no. + + HashKnownHosts + Indicates that ssh(1) should hash host names and addresses when + they are added to ~/.ssh/known_hosts. These hashed names may be + used normally by ssh(1) and sshd(8), but they do not visually + reveal identifying information if the file's contents are + disclosed. The default is no. Note that existing names and + addresses in known hosts files will not be converted + automatically, but may be manually hashed using ssh-keygen(1). + + HostbasedAcceptedAlgorithms + Specifies the signature algorithms that will be used for + hostbased authentication as a comma-separated list of patterns. + Alternately if the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, + then the specified signature algorithms will be appended to the + default set instead of replacing them. If the specified list + begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified signature + algorithms (including wildcards) will be removed from the default + set instead of replacing them. If the specified list begins with + a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified signature algorithms will be + placed at the head of the default set. The default for this + option is: + + ssh-ed25519-cert-v01@openssh.com, + ecdsa-sha2-nistp256-cert-v01@openssh.com, + ecdsa-sha2-nistp384-cert-v01@openssh.com, + ecdsa-sha2-nistp521-cert-v01@openssh.com, + sk-ssh-ed25519-cert-v01@openssh.com, + sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, + rsa-sha2-512-cert-v01@openssh.com, + rsa-sha2-256-cert-v01@openssh.com, + ssh-ed25519, + ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, + sk-ssh-ed25519@openssh.com, + sk-ecdsa-sha2-nistp256@openssh.com, + rsa-sha2-512,rsa-sha2-256 + + The -Q option of ssh(1) may be used to list supported signature + algorithms. This was formerly named HostbasedKeyTypes. + + HostbasedAuthentication + Specifies whether to try rhosts based authentication with public + key authentication. The argument must be yes or no (the + default). + + HostKeyAlgorithms + Specifies the host key signature algorithms that the client wants + to use in order of preference. Alternately if the specified list + begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified signature + algorithms will be appended to the default set instead of + replacing them. If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y + character, then the specified signature algorithms (including + wildcards) will be removed from the default set instead of + replacing them. If the specified list begins with a M-bM-^@M-^X^M-bM-^@M-^Y + character, then the specified signature algorithms will be placed + at the head of the default set. The default for this option is: + + ssh-ed25519-cert-v01@openssh.com, + ecdsa-sha2-nistp256-cert-v01@openssh.com, + ecdsa-sha2-nistp384-cert-v01@openssh.com, + ecdsa-sha2-nistp521-cert-v01@openssh.com, + sk-ssh-ed25519-cert-v01@openssh.com, + sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, + rsa-sha2-512-cert-v01@openssh.com, + rsa-sha2-256-cert-v01@openssh.com, + ssh-ed25519, + ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, + sk-ecdsa-sha2-nistp256@openssh.com, + sk-ssh-ed25519@openssh.com, + rsa-sha2-512,rsa-sha2-256 + + If hostkeys are known for the destination host then this default + is modified to prefer their algorithms. + + The list of available signature algorithms may also be obtained + using "ssh -Q HostKeyAlgorithms". + + HostKeyAlias + Specifies an alias that should be used instead of the real host + name when looking up or saving the host key in the host key + database files and when validating host certificates. This + option is useful for tunneling SSH connections or for multiple + servers running on a single host. + + Hostname + Specifies the real host name to log into. This can be used to + specify nicknames or abbreviations for hosts. Arguments to + Hostname accept the tokens described in the TOKENS section. + Numeric IP addresses are also permitted (both on the command line + and in Hostname specifications). The default is the name given + on the command line. + + IdentitiesOnly + Specifies that ssh(1) should only use the configured + authentication identity and certificate files (either the default + files, or those explicitly configured in the ssh_config files or + passed on the ssh(1) command-line), even if ssh-agent(1) or a + PKCS11Provider or SecurityKeyProvider offers more identities. + The argument to this keyword must be yes or no (the default). + This option is intended for situations where ssh-agent offers + many different identities. + + IdentityAgent + Specifies the UNIX-domain socket used to communicate with the + authentication agent. + + This option overrides the SSH_AUTH_SOCK environment variable and + can be used to select a specific agent. Setting the socket name + to none disables the use of an authentication agent. If the + string "SSH_AUTH_SOCK" is specified, the location of the socket + will be read from the SSH_AUTH_SOCK environment variable. + Otherwise if the specified value begins with a M-bM-^@M-^X$M-bM-^@M-^Y character, + then it will be treated as an environment variable containing the + location of the socket. + + Arguments to IdentityAgent may use the tilde syntax to refer to a + user's home directory, the tokens described in the TOKENS section + and environment variables as described in the ENVIRONMENT + VARIABLES section. + + IdentityFile + Specifies a file from which the user's DSA, ECDSA, authenticator- + hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA + authentication identity is read. You can also specify a public + key file to use the corresponding private key that is loaded in + ssh-agent(1) when the private key file is not present locally. + The default is ~/.ssh/id_rsa, ~/.ssh/id_ecdsa, + ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, ~/.ssh/id_ed25519_sk and + ~/.ssh/id_dsa. Additionally, any identities represented by the + authentication agent will be used for authentication unless + IdentitiesOnly is set. If no certificates have been explicitly + specified by CertificateFile, ssh(1) will try to load certificate + information from the filename obtained by appending -cert.pub to + the path of a specified IdentityFile. + + Arguments to IdentityFile may use the tilde syntax to refer to a + user's home directory or the tokens described in the TOKENS + section. + + It is possible to have multiple identity files specified in + configuration files; all these identities will be tried in + sequence. Multiple IdentityFile directives will add to the list + of identities tried (this behaviour differs from that of other + configuration directives). + + IdentityFile may be used in conjunction with IdentitiesOnly to + select which identities in an agent are offered during + authentication. IdentityFile may also be used in conjunction + with CertificateFile in order to provide any certificate also + needed for authentication with the identity. + + IgnoreUnknown + Specifies a pattern-list of unknown options to be ignored if they + are encountered in configuration parsing. This may be used to + suppress errors if ssh_config contains options that are + unrecognised by ssh(1). It is recommended that IgnoreUnknown be + listed early in the configuration file as it will not be applied + to unknown options that appear before it. + + Include + Include the specified configuration file(s). Multiple pathnames + may be specified and each pathname may contain glob(7) wildcards + and, for user configurations, shell-like M-bM-^@M-^X~M-bM-^@M-^Y references to user + home directories. Wildcards will be expanded and processed in + lexical order. Files without absolute paths are assumed to be in + ~/.ssh if included in a user configuration file or /etc/ssh if + included from the system configuration file. Include directive + may appear inside a Match or Host block to perform conditional + inclusion. + + IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. + Accepted values are af11, af12, af13, af21, af22, af23, af31, + af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, cs4, cs5, cs6, + cs7, ef, le, lowdelay, throughput, reliability, a numeric value, + or none to use the operating system default. This option may + take one or two arguments, separated by whitespace. If one + argument is specified, it is used as the packet class + unconditionally. If two values are specified, the first is + automatically selected for interactive sessions and the second + for non-interactive sessions. The default is af21 (Low-Latency + Data) for interactive sessions and cs1 (Lower Effort) for non- + interactive sessions. + + KbdInteractiveAuthentication + Specifies whether to use keyboard-interactive authentication. + The argument to this keyword must be yes (the default) or no. + ChallengeResponseAuthentication is a deprecated alias for this. + + KbdInteractiveDevices + Specifies the list of methods to use in keyboard-interactive + authentication. Multiple method names must be comma-separated. + The default is to use the server specified list. The methods + available vary depending on what the server supports. For an + OpenSSH server, it may be zero or more of: bsdauth and pam. + + KexAlgorithms + Specifies the available KEX (Key Exchange) algorithms. Multiple + algorithms must be comma-separated. If the specified list begins + with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified algorithms will be + appended to the default set instead of replacing them. If the + specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified + algorithms (including wildcards) will be removed from the default + set instead of replacing them. If the specified list begins with + a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified algorithms will be placed at + the head of the default set. The default is: + + sntrup761x25519-sha512@openssh.com, + curve25519-sha256,curve25519-sha256@libssh.org, + ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, + diffie-hellman-group-exchange-sha256, + diffie-hellman-group16-sha512, + diffie-hellman-group18-sha512, + diffie-hellman-group14-sha256 + + The list of available key exchange algorithms may also be + obtained using "ssh -Q kex". + + KnownHostsCommand + Specifies a command to use to obtain a list of host keys, in + addition to those listed in UserKnownHostsFile and + GlobalKnownHostsFile. This command is executed after the files + have been read. It may write host key lines to standard output + in identical format to the usual files (described in the + VERIFYING HOST KEYS section in ssh(1)). Arguments to + KnownHostsCommand accept the tokens described in the TOKENS + section. The command may be invoked multiple times per + connection: once when preparing the preference list of host key + algorithms to use, again to obtain the host key for the requested + host name and, if CheckHostIP is enabled, one more time to obtain + the host key matching the server's address. If the command exits + abnormally or returns a non-zero exit status then the connection + is terminated. + + LocalCommand + Specifies a command to execute on the local machine after + successfully connecting to the server. The command string + extends to the end of the line, and is executed with the user's + shell. Arguments to LocalCommand accept the tokens described in + the TOKENS section. + + The command is run synchronously and does not have access to the + session of the ssh(1) that spawned it. It should not be used for + interactive commands. + + This directive is ignored unless PermitLocalCommand has been + enabled. + + LocalForward + Specifies that a TCP port on the local machine be forwarded over + the secure channel to the specified host and port from the remote + machine. The first argument specifies the listener and may be + [bind_address:]port or a Unix domain socket path. The second + argument is the destination and may be host:hostport or a Unix + domain socket path if the remote host supports it. + + IPv6 addresses can be specified by enclosing addresses in square + brackets. Multiple forwardings may be specified, and additional + forwardings can be given on the command line. Only the superuser + can forward privileged ports. By default, the local port is + bound in accordance with the GatewayPorts setting. However, an + explicit bind_address may be used to bind the connection to a + specific address. The bind_address of localhost indicates that + the listening port be bound for local use only, while an empty + address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port should be available from + all interfaces. Unix domain socket paths may use the tokens + described in the TOKENS section and environment variables as + described in the ENVIRONMENT VARIABLES section. + + LogLevel + Gives the verbosity level that is used when logging messages from + ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, + VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. + DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify + higher levels of verbose output. + + LogVerbose + Specify one or more overrides to LogLevel. An override consists + of a pattern lists that matches the source file, function and + line number to force detailed logging for. For example, an + override pattern of: + + kex.c:*:1000,*:kex_exchange_identification():*,packet.c:* + + would enable detailed logging for line 1000 of kex.c, everything + in the kex_exchange_identification() function, and all code in + the packet.c file. This option is intended for debugging and no + overrides are enabled by default. + + MACs Specifies the MAC (message authentication code) algorithms in + order of preference. The MAC algorithm is used for data + integrity protection. Multiple algorithms must be comma- + separated. If the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, + then the specified algorithms will be appended to the default set + instead of replacing them. If the specified list begins with a + M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified algorithms (including + wildcards) will be removed from the default set instead of + replacing them. If the specified list begins with a M-bM-^@M-^X^M-bM-^@M-^Y + character, then the specified algorithms will be placed at the + head of the default set. + + The algorithms that contain "-etm" calculate the MAC after + encryption (encrypt-then-mac). These are considered safer and + their use recommended. + + The default is: + + umac-64-etm@openssh.com,umac-128-etm@openssh.com, + hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, + hmac-sha1-etm@openssh.com, + umac-64@openssh.com,umac-128@openssh.com, + hmac-sha2-256,hmac-sha2-512,hmac-sha1 + + The list of available MAC algorithms may also be obtained using + "ssh -Q mac". + + NoHostAuthenticationForLocalhost + Disable host authentication for localhost (loopback addresses). + The argument to this keyword must be yes or no (the default). + + NumberOfPasswordPrompts + Specifies the number of password prompts before giving up. The + argument to this keyword must be an integer. The default is 3. + + PasswordAuthentication + Specifies whether to use password authentication. The argument + to this keyword must be yes (the default) or no. + + PermitLocalCommand + Allow local command execution via the LocalCommand option or + using the !command escape sequence in ssh(1). The argument must + be yes or no (the default). + + PermitRemoteOpen + Specifies the destinations to which remote TCP port forwarding is + permitted when RemoteForward is used as a SOCKS proxy. The + forwarding specification must be one of the following forms: + + PermitRemoteOpen host:port + PermitRemoteOpen IPv4_addr:port + PermitRemoteOpen [IPv6_addr]:port + + Multiple forwards may be specified by separating them with + whitespace. An argument of any can be used to remove all + restrictions and permit any forwarding requests. An argument of + none can be used to prohibit all forwarding requests. The + wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or + ports respectively. Otherwise, no pattern matching or address + lookups are performed on supplied names. + + PKCS11Provider + Specifies which PKCS#11 provider to use or none to indicate that + no provider should be used (the default). The argument to this + keyword is a path to the PKCS#11 shared library ssh(1) should use + to communicate with a PKCS#11 token providing keys for user + authentication. + + Port Specifies the port number to connect on the remote host. The + default is 22. + + PreferredAuthentications + Specifies the order in which the client should try authentication + methods. This allows a client to prefer one method (e.g. + keyboard-interactive) over another method (e.g. password). The + default is: + + gssapi-with-mic,hostbased,publickey, + keyboard-interactive,password + + ProxyCommand + Specifies the command to use to connect to the server. The + command string extends to the end of the line, and is executed + using the user's shell M-bM-^@M-^XexecM-bM-^@M-^Y directive to avoid a lingering + shell process. + + Arguments to ProxyCommand accept the tokens described in the + TOKENS section. The command can be basically anything, and + should read from its standard input and write to its standard + output. It should eventually connect an sshd(8) server running + on some machine, or execute sshd -i somewhere. Host key + management will be done using the Hostname of the host being + connected (defaulting to the name typed by the user). Setting + the command to none disables this option entirely. Note that + CheckHostIP is not available for connects with a proxy command. + + This directive is useful in conjunction with nc(1) and its proxy + support. For example, the following directive would connect via + an HTTP proxy at 192.0.2.0: + + ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p + + ProxyJump + Specifies one or more jump proxies as either [user@]host[:port] + or an ssh URI. Multiple proxies may be separated by comma + characters and will be visited sequentially. Setting this option + will cause ssh(1) to connect to the target host by first making a + ssh(1) connection to the specified ProxyJump host and then + establishing a TCP forwarding to the ultimate target from there. + Setting the host to none disables this option entirely. + + Note that this option will compete with the ProxyCommand option - + whichever is specified first will prevent later instances of the + other from taking effect. + + Note also that the configuration for the destination host (either + supplied via the command-line or the configuration file) is not + generally applied to jump hosts. ~/.ssh/config should be used if + specific configuration is required for jump hosts. + + ProxyUseFdpass + Specifies that ProxyCommand will pass a connected file descriptor + back to ssh(1) instead of continuing to execute and pass data. + The default is no. + + PubkeyAcceptedAlgorithms + Specifies the signature algorithms that will be used for public + key authentication as a comma-separated list of patterns. If the + specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the algorithms + after it will be appended to the default instead of replacing it. + If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the + specified algorithms (including wildcards) will be removed from + the default set instead of replacing them. If the specified list + begins with a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified algorithms will + be placed at the head of the default set. The default for this + option is: + + ssh-ed25519-cert-v01@openssh.com, + ecdsa-sha2-nistp256-cert-v01@openssh.com, + ecdsa-sha2-nistp384-cert-v01@openssh.com, + ecdsa-sha2-nistp521-cert-v01@openssh.com, + sk-ssh-ed25519-cert-v01@openssh.com, + sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, + rsa-sha2-512-cert-v01@openssh.com, + rsa-sha2-256-cert-v01@openssh.com, + ssh-ed25519, + ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, + sk-ssh-ed25519@openssh.com, + sk-ecdsa-sha2-nistp256@openssh.com, + rsa-sha2-512,rsa-sha2-256 + + The list of available signature algorithms may also be obtained + using "ssh -Q PubkeyAcceptedAlgorithms". + + PubkeyAuthentication + Specifies whether to try public key authentication. The argument + to this keyword must be yes (the default), no, unbound or + host-bound. The final two options enable public key + authentication while respectively disabling or enabling the + OpenSSH host-bound authentication protocol extension required for + restricted ssh-agent(1) forwarding. + + RekeyLimit + Specifies the maximum amount of data that may be transmitted or + received before the session key is renegotiated, optionally + followed by a maximum amount of time that may pass before the + session key is renegotiated. The first argument is specified in + bytes and may have a suffix of M-bM-^@M-^XKM-bM-^@M-^Y, M-bM-^@M-^XMM-bM-^@M-^Y, or M-bM-^@M-^XGM-bM-^@M-^Y to indicate + Kilobytes, Megabytes, or Gigabytes, respectively. The default is + between M-bM-^@M-^X1GM-bM-^@M-^Y and M-bM-^@M-^X4GM-bM-^@M-^Y, depending on the cipher. The optional + second value is specified in seconds and may use any of the units + documented in the TIME FORMATS section of sshd_config(5). The + default value for RekeyLimit is default none, which means that + rekeying is performed after the cipher's default amount of data + has been sent or received and no time based rekeying is done. + + RemoteCommand + Specifies a command to execute on the remote machine after + successfully connecting to the server. The command string + extends to the end of the line, and is executed with the user's + shell. Arguments to RemoteCommand accept the tokens described in + the TOKENS section. + + RemoteForward + Specifies that a TCP port on the remote machine be forwarded over + the secure channel. The remote port may either be forwarded to a + specified host and port from the local machine, or may act as a + SOCKS 4/5 proxy that allows a remote client to connect to + arbitrary destinations from the local machine. The first + argument is the listening specification and may be + [bind_address:]port or, if the remote host supports it, a Unix + domain socket path. If forwarding to a specific destination then + the second argument must be host:hostport or a Unix domain socket + path, otherwise if no destination argument is specified then the + remote forwarding will be established as a SOCKS proxy. When + acting as a SOCKS proxy, the destination of the connection can be + restricted by PermitRemoteOpen. + + IPv6 addresses can be specified by enclosing addresses in square + brackets. Multiple forwardings may be specified, and additional + forwardings can be given on the command line. Privileged ports + can be forwarded only when logging in as root on the remote + machine. Unix domain socket paths may use the tokens described + in the TOKENS section and environment variables as described in + the ENVIRONMENT VARIABLES section. + + If the port argument is 0, the listen port will be dynamically + allocated on the server and reported to the client at run time. + + If the bind_address is not specified, the default is to only bind + to loopback addresses. If the bind_address is M-bM-^@M-^X*M-bM-^@M-^Y or an empty + string, then the forwarding is requested to listen on all + interfaces. Specifying a remote bind_address will only succeed + if the server's GatewayPorts option is enabled (see + sshd_config(5)). + + RequestTTY + Specifies whether to request a pseudo-tty for the session. The + argument may be one of: no (never request a TTY), yes (always + request a TTY when standard input is a TTY), force (always + request a TTY) or auto (request a TTY when opening a login + session). This option mirrors the -t and -T flags for ssh(1). + + RequiredRSASize + Specifies the minimum RSA key size (in bits) that ssh(1) will + accept. User authentication keys smaller than this limit will be + ignored. Servers that present host keys smaller than this limit + will cause the connection to be terminated. The default is 1024 + bits. Note that this limit may only be raised from the default. + + RevokedHostKeys + Specifies revoked host public keys. Keys listed in this file + will be refused for host authentication. Note that if this file + does not exist or is not readable, then host authentication will + be refused for all hosts. Keys may be specified as a text file, + listing one public key per line, or as an OpenSSH Key Revocation + List (KRL) as generated by ssh-keygen(1). For more information + on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1). + + SecurityKeyProvider + Specifies a path to a library that will be used when loading any + FIDO authenticator-hosted keys, overriding the default of using + the built-in USB HID support. + + If the specified value begins with a M-bM-^@M-^X$M-bM-^@M-^Y character, then it will + be treated as an environment variable containing the path to the + library. + + SendEnv + Specifies what variables from the local environ(7) should be sent + to the server. The server must also support it, and the server + must be configured to accept these environment variables. Note + that the TERM environment variable is always sent whenever a + pseudo-terminal is requested as it is required by the protocol. + Refer to AcceptEnv in sshd_config(5) for how to configure the + server. Variables are specified by name, which may contain + wildcard characters. Multiple environment variables may be + separated by whitespace or spread across multiple SendEnv + directives. + + See PATTERNS for more information on patterns. + + It is possible to clear previously set SendEnv variable names by + prefixing patterns with -. The default is not to send any + environment variables. + + ServerAliveCountMax + Sets the number of server alive messages (see below) which may be + sent without ssh(1) receiving any messages back from the server. + If this threshold is reached while server alive messages are + being sent, ssh will disconnect from the server, terminating the + session. It is important to note that the use of server alive + messages is very different from TCPKeepAlive (below). The server + alive messages are sent through the encrypted channel and + therefore will not be spoofable. The TCP keepalive option + enabled by TCPKeepAlive is spoofable. The server alive mechanism + is valuable when the client or server depend on knowing when a + connection has become unresponsive. + + The default value is 3. If, for example, ServerAliveInterval + (see below) is set to 15 and ServerAliveCountMax is left at the + default, if the server becomes unresponsive, ssh will disconnect + after approximately 45 seconds. + + ServerAliveInterval + Sets a timeout interval in seconds after which if no data has + been received from the server, ssh(1) will send a message through + the encrypted channel to request a response from the server. The + default is 0, indicating that these messages will not be sent to + the server. + + SessionType + May be used to either request invocation of a subsystem on the + remote system, or to prevent the execution of a remote command at + all. The latter is useful for just forwarding ports. The + argument to this keyword must be none (same as the -N option), + subsystem (same as the -s option) or default (shell or command + execution). + + SetEnv Directly specify one or more environment variables and their + contents to be sent to the server. Similarly to SendEnv, with + the exception of the TERM variable, the server must be prepared + to accept the environment variable. + + StdinNull + Redirects stdin from /dev/null (actually, prevents reading from + stdin). Either this or the equivalent -n option must be used + when ssh is run in the background. The argument to this keyword + must be yes (same as the -n option) or no (the default). + + StreamLocalBindMask + Sets the octal file creation mode mask (umask) used when creating + a Unix-domain socket file for local or remote port forwarding. + This option is only used for port forwarding to a Unix-domain + socket file. + + The default value is 0177, which creates a Unix-domain socket + file that is readable and writable only by the owner. Note that + not all operating systems honor the file mode on Unix-domain + socket files. + + StreamLocalBindUnlink + Specifies whether to remove an existing Unix-domain socket file + for local or remote port forwarding before creating a new one. + If the socket file already exists and StreamLocalBindUnlink is + not enabled, ssh will be unable to forward the port to the Unix- + domain socket file. This option is only used for port forwarding + to a Unix-domain socket file. + + The argument must be yes or no (the default). + + StrictHostKeyChecking + If this flag is set to yes, ssh(1) will never automatically add + host keys to the ~/.ssh/known_hosts file, and refuses to connect + to hosts whose host key has changed. This provides maximum + protection against man-in-the-middle (MITM) attacks, though it + can be annoying when the /etc/ssh/ssh_known_hosts file is poorly + maintained or when connections to new hosts are frequently made. + This option forces the user to manually add all new hosts. + + If this flag is set to accept-new then ssh will automatically add + new host keys to the user's known_hosts file, but will not permit + connections to hosts with changed host keys. If this flag is set + to no or off, ssh will automatically add new host keys to the + user known hosts files and allow connections to hosts with + changed hostkeys to proceed, subject to some restrictions. If + this flag is set to ask (the default), new host keys will be + added to the user known host files only after the user has + confirmed that is what they really want to do, and ssh will + refuse to connect to hosts whose host key has changed. The host + keys of known hosts will be verified automatically in all cases. + + SyslogFacility + Gives the facility code that is used when logging messages from + ssh(1). The possible values are: DAEMON, USER, AUTH, LOCAL0, + LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The + default is USER. + + TCPKeepAlive + Specifies whether the system should send TCP keepalive messages + to the other side. If they are sent, death of the connection or + crash of one of the machines will be properly noticed. However, + this means that connections will die if the route is down + temporarily, and some people find it annoying. + + The default is yes (to send TCP keepalive messages), and the + client will notice if the network goes down or the remote host + dies. This is important in scripts, and many users want it too. + + To disable TCP keepalive messages, the value should be set to no. + See also ServerAliveInterval for protocol-level keepalives. + + Tunnel Request tun(4) device forwarding between the client and the + server. The argument must be yes, point-to-point (layer 3), + ethernet (layer 2), or no (the default). Specifying yes requests + the default tunnel mode, which is point-to-point. + + TunnelDevice + Specifies the tun(4) devices to open on the client (local_tun) + and the server (remote_tun). + + The argument must be local_tun[:remote_tun]. The devices may be + specified by numerical ID or the keyword any, which uses the next + available tunnel device. If remote_tun is not specified, it + defaults to any. The default is any:any. + + UpdateHostKeys + Specifies whether ssh(1) should accept notifications of + additional hostkeys from the server sent after authentication has + completed and add them to UserKnownHostsFile. The argument must + be yes, no or ask. This option allows learning alternate + hostkeys for a server and supports graceful key rotation by + allowing a server to send replacement public keys before old ones + are removed. + + Additional hostkeys are only accepted if the key used to + authenticate the host was already trusted or explicitly accepted + by the user, the host was authenticated via UserKnownHostsFile + (i.e. not GlobalKnownHostsFile) and the host was authenticated + using a plain key and not a certificate. + + UpdateHostKeys is enabled by default if the user has not + overridden the default UserKnownHostsFile setting and has not + enabled VerifyHostKeyDNS, otherwise UpdateHostKeys will be set to + no. + + If UpdateHostKeys is set to ask, then the user is asked to + confirm the modifications to the known_hosts file. Confirmation + is currently incompatible with ControlPersist, and will be + disabled if it is enabled. + + Presently, only sshd(8) from OpenSSH 6.8 and greater support the + "hostkeys@openssh.com" protocol extension used to inform the + client of all the server's hostkeys. + + User Specifies the user to log in as. This can be useful when a + different user name is used on different machines. This saves + the trouble of having to remember to give the user name on the + command line. + + UserKnownHostsFile + Specifies one or more files to use for the user host key + database, separated by whitespace. Each filename may use tilde + notation to refer to the user's home directory, the tokens + described in the TOKENS section and environment variables as + described in the ENVIRONMENT VARIABLES section. A value of none + causes ssh(1) to ignore any user-specific known hosts files. The + default is ~/.ssh/known_hosts, ~/.ssh/known_hosts2. + + VerifyHostKeyDNS + Specifies whether to verify the remote key using DNS and SSHFP + resource records. If this option is set to yes, the client will + implicitly trust keys that match a secure fingerprint from DNS. + Insecure fingerprints will be handled as if this option was set + to ask. If this option is set to ask, information on fingerprint + match will be displayed, but the user will still need to confirm + new host keys according to the StrictHostKeyChecking option. The + default is no. + + See also VERIFYING HOST KEYS in ssh(1). + + VisualHostKey + If this flag is set to yes, an ASCII art representation of the + remote host key fingerprint is printed in addition to the + fingerprint string at login and for unknown host keys. If this + flag is set to no (the default), no fingerprint strings are + printed at login and only the fingerprint string will be printed + for unknown host keys. + + XAuthLocation + Specifies the full pathname of the xauth(1) program. The default + is /usr/X11R6/bin/xauth. + +PATTERNS + A pattern consists of zero or more non-whitespace characters, M-bM-^@M-^X*M-bM-^@M-^Y (a + wildcard that matches zero or more characters), or M-bM-^@M-^X?M-bM-^@M-^Y (a wildcard that + matches exactly one character). For example, to specify a set of + declarations for any host in the ".co.uk" set of domains, the following + pattern could be used: + + Host *.co.uk + + The following pattern would match any host in the 192.168.0.[0-9] network + range: + + Host 192.168.0.? + + A pattern-list is a comma-separated list of patterns. Patterns within + pattern-lists may be negated by preceding them with an exclamation mark + (M-bM-^@M-^X!M-bM-^@M-^Y). For example, to allow a key to be used from anywhere within an + organization except from the "dialup" pool, the following entry (in + authorized_keys) could be used: + + from="!*.dialup.example.com,*.example.com" + + Note that a negated match will never produce a positive result by itself. + For example, attempting to match "host3" against the following pattern- + list will fail: + + from="!host1,!host2" + + The solution here is to include a term that will yield a positive match, + such as a wildcard: + + from="!host1,!host2,*" + +TOKENS + Arguments to some keywords can make use of tokens, which are expanded at + runtime: + + %% A literal M-bM-^@M-^X%M-bM-^@M-^Y. + %C Hash of %l%h%p%r. + %d Local user's home directory. + %f The fingerprint of the server's host key. + %H The known_hosts hostname or address that is being searched + for. + %h The remote hostname. + %I A string describing the reason for a KnownHostsCommand + execution: either ADDRESS when looking up a host by address + (only when CheckHostIP is enabled), HOSTNAME when searching + by hostname, or ORDER when preparing the host key algorithm + preference list to use for the destination host. + %i The local user ID. + %K The base64 encoded host key. + %k The host key alias if specified, otherwise the original + remote hostname given on the command line. + %L The local hostname. + %l The local hostname, including the domain name. + %n The original remote hostname, as given on the command line. + %p The remote port. + %r The remote username. + %T The local tun(4) or tap(4) network interface assigned if + tunnel forwarding was requested, or "NONE" otherwise. + %t The type of the server host key, e.g. ssh-ed25519. + %u The local username. + + CertificateFile, ControlPath, IdentityAgent, IdentityFile, + KnownHostsCommand, LocalForward, Match exec, RemoteCommand, + RemoteForward, and UserKnownHostsFile accept the tokens %%, %C, %d, %h, + %i, %k, %L, %l, %n, %p, %r, and %u. + + KnownHostsCommand additionally accepts the tokens %f, %H, %I, %K and %t. + + Hostname accepts the tokens %% and %h. + + LocalCommand accepts all tokens. + + ProxyCommand and ProxyJump accept the tokens %%, %h, %n, %p, and %r. + +ENVIRONMENT VARIABLES + Arguments to some keywords can be expanded at runtime from environment + variables on the client by enclosing them in ${}, for example + ${HOME}/.ssh would refer to the user's .ssh directory. If a specified + environment variable does not exist then an error will be returned and + the setting for that keyword will be ignored. + + The keywords CertificateFile, ControlPath, IdentityAgent, IdentityFile, + KnownHostsCommand, and UserKnownHostsFile support environment variables. + The keywords LocalForward and RemoteForward support environment variables + only for Unix domain socket paths. + +FILES + ~/.ssh/config + This is the per-user configuration file. The format of this file + is described above. This file is used by the SSH client. + Because of the potential for abuse, this file must have strict + permissions: read/write for the user, and not writable by others. + + /etc/ssh/ssh_config + Systemwide configuration file. This file provides defaults for + those values that are not specified in the user's configuration + file, and for those users who do not have a configuration file. + This file must be world-readable. + +SEE ALSO + ssh(1) + +AUTHORS + OpenSSH is a derivative of the original and free ssh 1.2.12 release by + Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo + de Raadt and Dug Song removed many bugs, re-added newer features and + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +OpenBSD 7.2 January 13, 2023 OpenBSD 7.2 diff --git a/ssh_config.5 b/ssh_config.5 new file mode 100644 index 0000000..9eb6b97 --- /dev/null +++ b/ssh_config.5 @@ -0,0 +1,2208 @@ +.\" +.\" Author: Tatu Ylonen <ylo@cs.hut.fi> +.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +.\" All rights reserved +.\" +.\" As far as I am concerned, the code I have written for this software +.\" can be used freely for any purpose. Any derived versions of this +.\" software must be clearly marked as such, and if the derived work is +.\" incompatible with the protocol description in the RFC file, it must be +.\" called by a name other than "ssh" or "Secure Shell". +.\" +.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. +.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. +.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $OpenBSD: ssh_config.5,v 1.378 2023/01/13 07:13:40 jmc Exp $ +.Dd $Mdocdate: January 13 2023 $ +.Dt SSH_CONFIG 5 +.Os +.Sh NAME +.Nm ssh_config +.Nd OpenSSH client configuration file +.Sh DESCRIPTION +.Xr ssh 1 +obtains configuration data from the following sources in +the following order: +.Pp +.Bl -enum -offset indent -compact +.It +command-line options +.It +user's configuration file +.Pq Pa ~/.ssh/config +.It +system-wide configuration file +.Pq Pa /etc/ssh/ssh_config +.El +.Pp +For each parameter, the first obtained value +will be used. +The configuration files contain sections separated by +.Cm Host +specifications, and that section is only applied for hosts that +match one of the patterns given in the specification. +The matched host name is usually the one given on the command line +(see the +.Cm CanonicalizeHostname +option for exceptions). +.Pp +Since the first obtained value for each parameter is used, more +host-specific declarations should be given near the beginning of the +file, and general defaults at the end. +.Pp +The file contains keyword-argument pairs, one per line. +Lines starting with +.Ql # +and empty lines are interpreted as comments. +Arguments may optionally be enclosed in double quotes +.Pq \&" +in order to represent arguments containing spaces. +Configuration options may be separated by whitespace or +optional whitespace and exactly one +.Ql = ; +the latter format is useful to avoid the need to quote whitespace +when specifying configuration options using the +.Nm ssh , +.Nm scp , +and +.Nm sftp +.Fl o +option. +.Pp +The possible +keywords and their meanings are as follows (note that +keywords are case-insensitive and arguments are case-sensitive): +.Bl -tag -width Ds +.It Cm Host +Restricts the following declarations (up to the next +.Cm Host +or +.Cm Match +keyword) to be only for those hosts that match one of the patterns +given after the keyword. +If more than one pattern is provided, they should be separated by whitespace. +A single +.Ql * +as a pattern can be used to provide global +defaults for all hosts. +The host is usually the +.Ar hostname +argument given on the command line +(see the +.Cm CanonicalizeHostname +keyword for exceptions). +.Pp +A pattern entry may be negated by prefixing it with an exclamation mark +.Pq Sq !\& . +If a negated entry is matched, then the +.Cm Host +entry is ignored, regardless of whether any other patterns on the line +match. +Negated matches are therefore useful to provide exceptions for wildcard +matches. +.Pp +See +.Sx PATTERNS +for more information on patterns. +.It Cm Match +Restricts the following declarations (up to the next +.Cm Host +or +.Cm Match +keyword) to be used only when the conditions following the +.Cm Match +keyword are satisfied. +Match conditions are specified using one or more criteria +or the single token +.Cm all +which always matches. +The available criteria keywords are: +.Cm canonical , +.Cm final , +.Cm exec , +.Cm host , +.Cm originalhost , +.Cm user , +and +.Cm localuser . +The +.Cm all +criteria must appear alone or immediately after +.Cm canonical +or +.Cm final . +Other criteria may be combined arbitrarily. +All criteria but +.Cm all , +.Cm canonical , +and +.Cm final +require an argument. +Criteria may be negated by prepending an exclamation mark +.Pq Sq !\& . +.Pp +The +.Cm canonical +keyword matches only when the configuration file is being re-parsed +after hostname canonicalization (see the +.Cm CanonicalizeHostname +option). +This may be useful to specify conditions that work with canonical host +names only. +.Pp +The +.Cm final +keyword requests that the configuration be re-parsed (regardless of whether +.Cm CanonicalizeHostname +is enabled), and matches only during this final pass. +If +.Cm CanonicalizeHostname +is enabled, then +.Cm canonical +and +.Cm final +match during the same pass. +.Pp +The +.Cm exec +keyword executes the specified command under the user's shell. +If the command returns a zero exit status then the condition is considered true. +Commands containing whitespace characters must be quoted. +Arguments to +.Cm exec +accept the tokens described in the +.Sx TOKENS +section. +.Pp +The other keywords' criteria must be single entries or comma-separated +lists and may use the wildcard and negation operators described in the +.Sx PATTERNS +section. +The criteria for the +.Cm host +keyword are matched against the target hostname, after any substitution +by the +.Cm Hostname +or +.Cm CanonicalizeHostname +options. +The +.Cm originalhost +keyword matches against the hostname as it was specified on the command-line. +The +.Cm user +keyword matches against the target username on the remote host. +The +.Cm localuser +keyword matches against the name of the local user running +.Xr ssh 1 +(this keyword may be useful in system-wide +.Nm +files). +.It Cm AddKeysToAgent +Specifies whether keys should be automatically added to a running +.Xr ssh-agent 1 . +If this option is set to +.Cm yes +and a key is loaded from a file, the key and its passphrase are added to +the agent with the default lifetime, as if by +.Xr ssh-add 1 . +If this option is set to +.Cm ask , +.Xr ssh 1 +will require confirmation using the +.Ev SSH_ASKPASS +program before adding a key (see +.Xr ssh-add 1 +for details). +If this option is set to +.Cm confirm , +each use of the key must be confirmed, as if the +.Fl c +option was specified to +.Xr ssh-add 1 . +If this option is set to +.Cm no , +no keys are added to the agent. +Alternately, this option may be specified as a time interval +using the format described in the +.Sx TIME FORMATS +section of +.Xr sshd_config 5 +to specify the key's lifetime in +.Xr ssh-agent 1 , +after which it will automatically be removed. +The argument must be +.Cm no +(the default), +.Cm yes , +.Cm confirm +(optionally followed by a time interval), +.Cm ask +or a time interval. +.It Cm AddressFamily +Specifies which address family to use when connecting. +Valid arguments are +.Cm any +(the default), +.Cm inet +(use IPv4 only), or +.Cm inet6 +(use IPv6 only). +.It Cm BatchMode +If set to +.Cm yes , +user interaction such as password prompts and host key confirmation requests +will be disabled. +This option is useful in scripts and other batch jobs where no user +is present to interact with +.Xr ssh 1 . +The argument must be +.Cm yes +or +.Cm no +(the default). +.It Cm BindAddress +Use the specified address on the local machine as the source address of +the connection. +Only useful on systems with more than one address. +.It Cm BindInterface +Use the address of the specified interface on the local machine as the +source address of the connection. +.It Cm CanonicalDomains +When +.Cm CanonicalizeHostname +is enabled, this option specifies the list of domain suffixes in which to +search for the specified destination host. +.It Cm CanonicalizeFallbackLocal +Specifies whether to fail with an error when hostname canonicalization fails. +The default, +.Cm yes , +will attempt to look up the unqualified hostname using the system resolver's +search rules. +A value of +.Cm no +will cause +.Xr ssh 1 +to fail instantly if +.Cm CanonicalizeHostname +is enabled and the target hostname cannot be found in any of the domains +specified by +.Cm CanonicalDomains . +.It Cm CanonicalizeHostname +Controls whether explicit hostname canonicalization is performed. +The default, +.Cm no , +is not to perform any name rewriting and let the system resolver handle all +hostname lookups. +If set to +.Cm yes +then, for connections that do not use a +.Cm ProxyCommand +or +.Cm ProxyJump , +.Xr ssh 1 +will attempt to canonicalize the hostname specified on the command line +using the +.Cm CanonicalDomains +suffixes and +.Cm CanonicalizePermittedCNAMEs +rules. +If +.Cm CanonicalizeHostname +is set to +.Cm always , +then canonicalization is applied to proxied connections too. +.Pp +If this option is enabled, then the configuration files are processed +again using the new target name to pick up any new configuration in matching +.Cm Host +and +.Cm Match +stanzas. +A value of +.Cm none +disables the use of a +.Cm ProxyJump +host. +.It Cm CanonicalizeMaxDots +Specifies the maximum number of dot characters in a hostname before +canonicalization is disabled. +The default, 1, +allows a single dot (i.e. hostname.subdomain). +.It Cm CanonicalizePermittedCNAMEs +Specifies rules to determine whether CNAMEs should be followed when +canonicalizing hostnames. +The rules consist of one or more arguments of +.Ar source_domain_list : Ns Ar target_domain_list , +where +.Ar source_domain_list +is a pattern-list of domains that may follow CNAMEs in canonicalization, +and +.Ar target_domain_list +is a pattern-list of domains that they may resolve to. +.Pp +For example, +.Qq *.a.example.com:*.b.example.com,*.c.example.com +will allow hostnames matching +.Qq *.a.example.com +to be canonicalized to names in the +.Qq *.b.example.com +or +.Qq *.c.example.com +domains. +.Pp +A single argument of +.Qq none +causes no CNAMEs to be considered for canonicalization. +This is the default behaviour. +.It Cm CASignatureAlgorithms +Specifies which algorithms are allowed for signing of certificates +by certificate authorities (CAs). +The default is: +.Bd -literal -offset indent +ssh-ed25519,ecdsa-sha2-nistp256, +ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, +rsa-sha2-512,rsa-sha2-256 +.Ed +.Pp +If the specified list begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +.Pp +.Xr ssh 1 +will not accept host certificates signed using algorithms other than those +specified. +.It Cm CertificateFile +Specifies a file from which the user's certificate is read. +A corresponding private key must be provided separately in order +to use this certificate either +from an +.Cm IdentityFile +directive or +.Fl i +flag to +.Xr ssh 1 , +via +.Xr ssh-agent 1 , +or via a +.Cm PKCS11Provider +or +.Cm SecurityKeyProvider . +.Pp +Arguments to +.Cm CertificateFile +may use the tilde syntax to refer to a user's home directory, +the tokens described in the +.Sx TOKENS +section and environment variables as described in the +.Sx ENVIRONMENT VARIABLES +section. +.Pp +It is possible to have multiple certificate files specified in +configuration files; these certificates will be tried in sequence. +Multiple +.Cm CertificateFile +directives will add to the list of certificates used for +authentication. +.It Cm CheckHostIP +If set to +.Cm yes , +.Xr ssh 1 +will additionally check the host IP address in the +.Pa known_hosts +file. +This allows it to detect if a host key changed due to DNS spoofing +and will add addresses of destination hosts to +.Pa ~/.ssh/known_hosts +in the process, regardless of the setting of +.Cm StrictHostKeyChecking . +If the option is set to +.Cm no +(the default), +the check will not be executed. +.It Cm Ciphers +Specifies the ciphers allowed and their order of preference. +Multiple ciphers must be comma-separated. +If the specified list begins with a +.Sq + +character, then the specified ciphers will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified ciphers (including wildcards) will be removed +from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified ciphers will be placed at the head of the +default set. +.Pp +The supported ciphers are: +.Bd -literal -offset indent +3des-cbc +aes128-cbc +aes192-cbc +aes256-cbc +aes128-ctr +aes192-ctr +aes256-ctr +aes128-gcm@openssh.com +aes256-gcm@openssh.com +chacha20-poly1305@openssh.com +.Ed +.Pp +The default is: +.Bd -literal -offset indent +chacha20-poly1305@openssh.com, +aes128-ctr,aes192-ctr,aes256-ctr, +aes128-gcm@openssh.com,aes256-gcm@openssh.com +.Ed +.Pp +The list of available ciphers may also be obtained using +.Qq ssh -Q cipher . +.It Cm ClearAllForwardings +Specifies that all local, remote, and dynamic port forwardings +specified in the configuration files or on the command line be +cleared. +This option is primarily useful when used from the +.Xr ssh 1 +command line to clear port forwardings set in +configuration files, and is automatically set by +.Xr scp 1 +and +.Xr sftp 1 . +The argument must be +.Cm yes +or +.Cm no +(the default). +.It Cm Compression +Specifies whether to use compression. +The argument must be +.Cm yes +or +.Cm no +(the default). +.It Cm ConnectionAttempts +Specifies the number of tries (one per second) to make before exiting. +The argument must be an integer. +This may be useful in scripts if the connection sometimes fails. +The default is 1. +.It Cm ConnectTimeout +Specifies the timeout (in seconds) used when connecting to the +SSH server, instead of using the default system TCP timeout. +This timeout is applied both to establishing the connection and to performing +the initial SSH protocol handshake and key exchange. +.It Cm ControlMaster +Enables the sharing of multiple sessions over a single network connection. +When set to +.Cm yes , +.Xr ssh 1 +will listen for connections on a control socket specified using the +.Cm ControlPath +argument. +Additional sessions can connect to this socket using the same +.Cm ControlPath +with +.Cm ControlMaster +set to +.Cm no +(the default). +These sessions will try to reuse the master instance's network connection +rather than initiating new ones, but will fall back to connecting normally +if the control socket does not exist, or is not listening. +.Pp +Setting this to +.Cm ask +will cause +.Xr ssh 1 +to listen for control connections, but require confirmation using +.Xr ssh-askpass 1 . +If the +.Cm ControlPath +cannot be opened, +.Xr ssh 1 +will continue without connecting to a master instance. +.Pp +X11 and +.Xr ssh-agent 1 +forwarding is supported over these multiplexed connections, however the +display and agent forwarded will be the one belonging to the master +connection i.e. it is not possible to forward multiple displays or agents. +.Pp +Two additional options allow for opportunistic multiplexing: try to use a +master connection but fall back to creating a new one if one does not already +exist. +These options are: +.Cm auto +and +.Cm autoask . +The latter requires confirmation like the +.Cm ask +option. +.It Cm ControlPath +Specify the path to the control socket used for connection sharing as described +in the +.Cm ControlMaster +section above or the string +.Cm none +to disable connection sharing. +Arguments to +.Cm ControlPath +may use the tilde syntax to refer to a user's home directory, +the tokens described in the +.Sx TOKENS +section and environment variables as described in the +.Sx ENVIRONMENT VARIABLES +section. +It is recommended that any +.Cm ControlPath +used for opportunistic connection sharing include +at least %h, %p, and %r (or alternatively %C) and be placed in a directory +that is not writable by other users. +This ensures that shared connections are uniquely identified. +.It Cm ControlPersist +When used in conjunction with +.Cm ControlMaster , +specifies that the master connection should remain open +in the background (waiting for future client connections) +after the initial client connection has been closed. +If set to +.Cm no +(the default), +then the master connection will not be placed into the background, +and will close as soon as the initial client connection is closed. +If set to +.Cm yes +or 0, +then the master connection will remain in the background indefinitely +(until killed or closed via a mechanism such as the +.Qq ssh -O exit ) . +If set to a time in seconds, or a time in any of the formats documented in +.Xr sshd_config 5 , +then the backgrounded master connection will automatically terminate +after it has remained idle (with no client connections) for the +specified time. +.It Cm DynamicForward +Specifies that a TCP port on the local machine be forwarded +over the secure channel, and the application +protocol is then used to determine where to connect to from the +remote machine. +.Pp +The argument must be +.Sm off +.Oo Ar bind_address : Oc Ar port . +.Sm on +IPv6 addresses can be specified by enclosing addresses in square brackets. +By default, the local port is bound in accordance with the +.Cm GatewayPorts +setting. +However, an explicit +.Ar bind_address +may be used to bind the connection to a specific address. +The +.Ar bind_address +of +.Cm localhost +indicates that the listening port be bound for local use only, while an +empty address or +.Sq * +indicates that the port should be available from all interfaces. +.Pp +Currently the SOCKS4 and SOCKS5 protocols are supported, and +.Xr ssh 1 +will act as a SOCKS server. +Multiple forwardings may be specified, and +additional forwardings can be given on the command line. +Only the superuser can forward privileged ports. +.It Cm EnableEscapeCommandline +Enables the command line option in the +.Cm EscapeChar +menu for interactive sessions (default +.Ql ~C ) . +By default, the command line is disabled. +.It Cm EnableSSHKeysign +Setting this option to +.Cm yes +in the global client configuration file +.Pa /etc/ssh/ssh_config +enables the use of the helper program +.Xr ssh-keysign 8 +during +.Cm HostbasedAuthentication . +The argument must be +.Cm yes +or +.Cm no +(the default). +This option should be placed in the non-hostspecific section. +See +.Xr ssh-keysign 8 +for more information. +.It Cm EscapeChar +Sets the escape character (default: +.Ql ~ ) . +The escape character can also +be set on the command line. +The argument should be a single character, +.Ql ^ +followed by a letter, or +.Cm none +to disable the escape +character entirely (making the connection transparent for binary +data). +.It Cm ExitOnForwardFailure +Specifies whether +.Xr ssh 1 +should terminate the connection if it cannot set up all requested +dynamic, tunnel, local, and remote port forwardings, (e.g.\& +if either end is unable to bind and listen on a specified port). +Note that +.Cm ExitOnForwardFailure +does not apply to connections made over port forwardings and will not, +for example, cause +.Xr ssh 1 +to exit if TCP connections to the ultimate forwarding destination fail. +The argument must be +.Cm yes +or +.Cm no +(the default). +.It Cm FingerprintHash +Specifies the hash algorithm used when displaying key fingerprints. +Valid options are: +.Cm md5 +and +.Cm sha256 +(the default). +.It Cm ForkAfterAuthentication +Requests +.Nm ssh +to go to background just before command execution. +This is useful if +.Nm ssh +is going to ask for passwords or passphrases, but the user +wants it in the background. +This implies the +.Cm StdinNull +configuration option being set to +.Dq yes . +The recommended way to start X11 programs at a remote site is with +something like +.Ic ssh -f host xterm , +which is the same as +.Ic ssh host xterm +if the +.Cm ForkAfterAuthentication +configuration option is set to +.Dq yes . +.Pp +If the +.Cm ExitOnForwardFailure +configuration option is set to +.Dq yes , +then a client started with the +.Cm ForkAfterAuthentication +configuration option being set to +.Dq yes +will wait for all remote port forwards to be successfully established +before placing itself in the background. +The argument to this keyword must be +.Cm yes +(same as the +.Fl f +option) or +.Cm no +(the default). +.It Cm ForwardAgent +Specifies whether the connection to the authentication agent (if any) +will be forwarded to the remote machine. +The argument may be +.Cm yes , +.Cm no +(the default), +an explicit path to an agent socket or the name of an environment variable +(beginning with +.Sq $ ) +in which to find the path. +.Pp +Agent forwarding should be enabled with caution. +Users with the ability to bypass file permissions on the remote host +(for the agent's Unix-domain socket) +can access the local agent through the forwarded connection. +An attacker cannot obtain key material from the agent, +however they can perform operations on the keys that enable them to +authenticate using the identities loaded into the agent. +.It Cm ForwardX11 +Specifies whether X11 connections will be automatically redirected +over the secure channel and +.Ev DISPLAY +set. +The argument must be +.Cm yes +or +.Cm no +(the default). +.Pp +X11 forwarding should be enabled with caution. +Users with the ability to bypass file permissions on the remote host +(for the user's X11 authorization database) +can access the local X11 display through the forwarded connection. +An attacker may then be able to perform activities such as keystroke monitoring +if the +.Cm ForwardX11Trusted +option is also enabled. +.It Cm ForwardX11Timeout +Specify a timeout for untrusted X11 forwarding +using the format described in the +.Sx TIME FORMATS +section of +.Xr sshd_config 5 . +X11 connections received by +.Xr ssh 1 +after this time will be refused. +Setting +.Cm ForwardX11Timeout +to zero will disable the timeout and permit X11 forwarding for the life +of the connection. +The default is to disable untrusted X11 forwarding after twenty minutes has +elapsed. +.It Cm ForwardX11Trusted +If this option is set to +.Cm yes , +remote X11 clients will have full access to the original X11 display. +.Pp +If this option is set to +.Cm no +(the default), +remote X11 clients will be considered untrusted and prevented +from stealing or tampering with data belonging to trusted X11 +clients. +Furthermore, the +.Xr xauth 1 +token used for the session will be set to expire after 20 minutes. +Remote clients will be refused access after this time. +.Pp +See the X11 SECURITY extension specification for full details on +the restrictions imposed on untrusted clients. +.It Cm GatewayPorts +Specifies whether remote hosts are allowed to connect to local +forwarded ports. +By default, +.Xr ssh 1 +binds local port forwardings to the loopback address. +This prevents other remote hosts from connecting to forwarded ports. +.Cm GatewayPorts +can be used to specify that ssh +should bind local port forwardings to the wildcard address, +thus allowing remote hosts to connect to forwarded ports. +The argument must be +.Cm yes +or +.Cm no +(the default). +.It Cm GlobalKnownHostsFile +Specifies one or more files to use for the global +host key database, separated by whitespace. +The default is +.Pa /etc/ssh/ssh_known_hosts , +.Pa /etc/ssh/ssh_known_hosts2 . +.It Cm GSSAPIAuthentication +Specifies whether user authentication based on GSSAPI is allowed. +The default is +.Cm no . +.It Cm GSSAPIDelegateCredentials +Forward (delegate) credentials to the server. +The default is +.Cm no . +.It Cm HashKnownHosts +Indicates that +.Xr ssh 1 +should hash host names and addresses when they are added to +.Pa ~/.ssh/known_hosts . +These hashed names may be used normally by +.Xr ssh 1 +and +.Xr sshd 8 , +but they do not visually reveal identifying information if the +file's contents are disclosed. +The default is +.Cm no . +Note that existing names and addresses in known hosts files +will not be converted automatically, +but may be manually hashed using +.Xr ssh-keygen 1 . +.It Cm HostbasedAcceptedAlgorithms +Specifies the signature algorithms that will be used for hostbased +authentication as a comma-separated list of patterns. +Alternately if the specified list begins with a +.Sq + +character, then the specified signature algorithms will be appended +to the default set instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified signature algorithms (including wildcards) +will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified signature algorithms will be placed +at the head of the default set. +The default for this option is: +.Bd -literal -offset 3n +ssh-ed25519-cert-v01@openssh.com, +ecdsa-sha2-nistp256-cert-v01@openssh.com, +ecdsa-sha2-nistp384-cert-v01@openssh.com, +ecdsa-sha2-nistp521-cert-v01@openssh.com, +sk-ssh-ed25519-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, +rsa-sha2-512-cert-v01@openssh.com, +rsa-sha2-256-cert-v01@openssh.com, +ssh-ed25519, +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, +rsa-sha2-512,rsa-sha2-256 +.Ed +.Pp +The +.Fl Q +option of +.Xr ssh 1 +may be used to list supported signature algorithms. +This was formerly named HostbasedKeyTypes. +.It Cm HostbasedAuthentication +Specifies whether to try rhosts based authentication with public key +authentication. +The argument must be +.Cm yes +or +.Cm no +(the default). +.It Cm HostKeyAlgorithms +Specifies the host key signature algorithms +that the client wants to use in order of preference. +Alternately if the specified list begins with a +.Sq + +character, then the specified signature algorithms will be appended to +the default set instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified signature algorithms (including wildcards) +will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified signature algorithms will be placed +at the head of the default set. +The default for this option is: +.Bd -literal -offset 3n +ssh-ed25519-cert-v01@openssh.com, +ecdsa-sha2-nistp256-cert-v01@openssh.com, +ecdsa-sha2-nistp384-cert-v01@openssh.com, +ecdsa-sha2-nistp521-cert-v01@openssh.com, +sk-ssh-ed25519-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, +rsa-sha2-512-cert-v01@openssh.com, +rsa-sha2-256-cert-v01@openssh.com, +ssh-ed25519, +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ecdsa-sha2-nistp256@openssh.com, +sk-ssh-ed25519@openssh.com, +rsa-sha2-512,rsa-sha2-256 +.Ed +.Pp +If hostkeys are known for the destination host then this default is modified +to prefer their algorithms. +.Pp +The list of available signature algorithms may also be obtained using +.Qq ssh -Q HostKeyAlgorithms . +.It Cm HostKeyAlias +Specifies an alias that should be used instead of the +real host name when looking up or saving the host key +in the host key database files and when validating host certificates. +This option is useful for tunneling SSH connections +or for multiple servers running on a single host. +.It Cm Hostname +Specifies the real host name to log into. +This can be used to specify nicknames or abbreviations for hosts. +Arguments to +.Cm Hostname +accept the tokens described in the +.Sx TOKENS +section. +Numeric IP addresses are also permitted (both on the command line and in +.Cm Hostname +specifications). +The default is the name given on the command line. +.It Cm IdentitiesOnly +Specifies that +.Xr ssh 1 +should only use the configured authentication identity and certificate files +(either the default files, or those explicitly configured in the +.Nm +files +or passed on the +.Xr ssh 1 +command-line), +even if +.Xr ssh-agent 1 +or a +.Cm PKCS11Provider +or +.Cm SecurityKeyProvider +offers more identities. +The argument to this keyword must be +.Cm yes +or +.Cm no +(the default). +This option is intended for situations where ssh-agent +offers many different identities. +.It Cm IdentityAgent +Specifies the +.Ux Ns -domain +socket used to communicate with the authentication agent. +.Pp +This option overrides the +.Ev SSH_AUTH_SOCK +environment variable and can be used to select a specific agent. +Setting the socket name to +.Cm none +disables the use of an authentication agent. +If the string +.Qq SSH_AUTH_SOCK +is specified, the location of the socket will be read from the +.Ev SSH_AUTH_SOCK +environment variable. +Otherwise if the specified value begins with a +.Sq $ +character, then it will be treated as an environment variable containing +the location of the socket. +.Pp +Arguments to +.Cm IdentityAgent +may use the tilde syntax to refer to a user's home directory, +the tokens described in the +.Sx TOKENS +section and environment variables as described in the +.Sx ENVIRONMENT VARIABLES +section. +.It Cm IdentityFile +Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA, +Ed25519, authenticator-hosted Ed25519 or RSA authentication identity is read. +You can also specify a public key file to use the corresponding +private key that is loaded in +.Xr ssh-agent 1 +when the private key file is not present locally. +The default is +.Pa ~/.ssh/id_rsa , +.Pa ~/.ssh/id_ecdsa , +.Pa ~/.ssh/id_ecdsa_sk , +.Pa ~/.ssh/id_ed25519 , +.Pa ~/.ssh/id_ed25519_sk +and +.Pa ~/.ssh/id_dsa . +Additionally, any identities represented by the authentication agent +will be used for authentication unless +.Cm IdentitiesOnly +is set. +If no certificates have been explicitly specified by +.Cm CertificateFile , +.Xr ssh 1 +will try to load certificate information from the filename obtained by +appending +.Pa -cert.pub +to the path of a specified +.Cm IdentityFile . +.Pp +Arguments to +.Cm IdentityFile +may use the tilde syntax to refer to a user's home directory +or the tokens described in the +.Sx TOKENS +section. +.Pp +It is possible to have +multiple identity files specified in configuration files; all these +identities will be tried in sequence. +Multiple +.Cm IdentityFile +directives will add to the list of identities tried (this behaviour +differs from that of other configuration directives). +.Pp +.Cm IdentityFile +may be used in conjunction with +.Cm IdentitiesOnly +to select which identities in an agent are offered during authentication. +.Cm IdentityFile +may also be used in conjunction with +.Cm CertificateFile +in order to provide any certificate also needed for authentication with +the identity. +.It Cm IgnoreUnknown +Specifies a pattern-list of unknown options to be ignored if they are +encountered in configuration parsing. +This may be used to suppress errors if +.Nm +contains options that are unrecognised by +.Xr ssh 1 . +It is recommended that +.Cm IgnoreUnknown +be listed early in the configuration file as it will not be applied +to unknown options that appear before it. +.It Cm Include +Include the specified configuration file(s). +Multiple pathnames may be specified and each pathname may contain +.Xr glob 7 +wildcards and, for user configurations, shell-like +.Sq ~ +references to user home directories. +Wildcards will be expanded and processed in lexical order. +Files without absolute paths are assumed to be in +.Pa ~/.ssh +if included in a user configuration file or +.Pa /etc/ssh +if included from the system configuration file. +.Cm Include +directive may appear inside a +.Cm Match +or +.Cm Host +block +to perform conditional inclusion. +.It Cm IPQoS +Specifies the IPv4 type-of-service or DSCP class for connections. +Accepted values are +.Cm af11 , +.Cm af12 , +.Cm af13 , +.Cm af21 , +.Cm af22 , +.Cm af23 , +.Cm af31 , +.Cm af32 , +.Cm af33 , +.Cm af41 , +.Cm af42 , +.Cm af43 , +.Cm cs0 , +.Cm cs1 , +.Cm cs2 , +.Cm cs3 , +.Cm cs4 , +.Cm cs5 , +.Cm cs6 , +.Cm cs7 , +.Cm ef , +.Cm le , +.Cm lowdelay , +.Cm throughput , +.Cm reliability , +a numeric value, or +.Cm none +to use the operating system default. +This option may take one or two arguments, separated by whitespace. +If one argument is specified, it is used as the packet class unconditionally. +If two values are specified, the first is automatically selected for +interactive sessions and the second for non-interactive sessions. +The default is +.Cm af21 +(Low-Latency Data) +for interactive sessions and +.Cm cs1 +(Lower Effort) +for non-interactive sessions. +.It Cm KbdInteractiveAuthentication +Specifies whether to use keyboard-interactive authentication. +The argument to this keyword must be +.Cm yes +(the default) +or +.Cm no . +.Cm ChallengeResponseAuthentication +is a deprecated alias for this. +.It Cm KbdInteractiveDevices +Specifies the list of methods to use in keyboard-interactive authentication. +Multiple method names must be comma-separated. +The default is to use the server specified list. +The methods available vary depending on what the server supports. +For an OpenSSH server, +it may be zero or more of: +.Cm bsdauth +and +.Cm pam . +.It Cm KexAlgorithms +Specifies the available KEX (Key Exchange) algorithms. +Multiple algorithms must be comma-separated. +If the specified list begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified algorithms will be placed at the head of the +default set. +The default is: +.Bd -literal -offset indent +sntrup761x25519-sha512@openssh.com, +curve25519-sha256,curve25519-sha256@libssh.org, +ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, +diffie-hellman-group-exchange-sha256, +diffie-hellman-group16-sha512, +diffie-hellman-group18-sha512, +diffie-hellman-group14-sha256 +.Ed +.Pp +The list of available key exchange algorithms may also be obtained using +.Qq ssh -Q kex . +.It Cm KnownHostsCommand +Specifies a command to use to obtain a list of host keys, in addition to +those listed in +.Cm UserKnownHostsFile +and +.Cm GlobalKnownHostsFile . +This command is executed after the files have been read. +It may write host key lines to standard output in identical format to the +usual files (described in the +.Sx VERIFYING HOST KEYS +section in +.Xr ssh 1 ) . +Arguments to +.Cm KnownHostsCommand +accept the tokens described in the +.Sx TOKENS +section. +The command may be invoked multiple times per connection: once when preparing +the preference list of host key algorithms to use, again to obtain the +host key for the requested host name and, if +.Cm CheckHostIP +is enabled, one more time to obtain the host key matching the server's +address. +If the command exits abnormally or returns a non-zero exit status then the +connection is terminated. +.It Cm LocalCommand +Specifies a command to execute on the local machine after successfully +connecting to the server. +The command string extends to the end of the line, and is executed with +the user's shell. +Arguments to +.Cm LocalCommand +accept the tokens described in the +.Sx TOKENS +section. +.Pp +The command is run synchronously and does not have access to the +session of the +.Xr ssh 1 +that spawned it. +It should not be used for interactive commands. +.Pp +This directive is ignored unless +.Cm PermitLocalCommand +has been enabled. +.It Cm LocalForward +Specifies that a TCP port on the local machine be forwarded over +the secure channel to the specified host and port from the remote machine. +The first argument specifies the listener and may be +.Sm off +.Oo Ar bind_address : Oc Ar port +.Sm on +or a Unix domain socket path. +The second argument is the destination and may be +.Ar host : Ns Ar hostport +or a Unix domain socket path if the remote host supports it. +.Pp +IPv6 addresses can be specified by enclosing addresses in square brackets. +Multiple forwardings may be specified, and additional forwardings can be +given on the command line. +Only the superuser can forward privileged ports. +By default, the local port is bound in accordance with the +.Cm GatewayPorts +setting. +However, an explicit +.Ar bind_address +may be used to bind the connection to a specific address. +The +.Ar bind_address +of +.Cm localhost +indicates that the listening port be bound for local use only, while an +empty address or +.Sq * +indicates that the port should be available from all interfaces. +Unix domain socket paths may use the tokens described in the +.Sx TOKENS +section and environment variables as described in the +.Sx ENVIRONMENT VARIABLES +section. +.It Cm LogLevel +Gives the verbosity level that is used when logging messages from +.Xr ssh 1 . +The possible values are: +QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. +The default is INFO. +DEBUG and DEBUG1 are equivalent. +DEBUG2 and DEBUG3 each specify higher levels of verbose output. +.It Cm LogVerbose +Specify one or more overrides to LogLevel. +An override consists of a pattern lists that matches the source file, function +and line number to force detailed logging for. +For example, an override pattern of: +.Bd -literal -offset indent +kex.c:*:1000,*:kex_exchange_identification():*,packet.c:* +.Ed +.Pp +would enable detailed logging for line 1000 of +.Pa kex.c , +everything in the +.Fn kex_exchange_identification +function, and all code in the +.Pa packet.c +file. +This option is intended for debugging and no overrides are enabled by default. +.It Cm MACs +Specifies the MAC (message authentication code) algorithms +in order of preference. +The MAC algorithm is used for data integrity protection. +Multiple algorithms must be comma-separated. +If the specified list begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified algorithms will be placed at the head of the +default set. +.Pp +The algorithms that contain +.Qq -etm +calculate the MAC after encryption (encrypt-then-mac). +These are considered safer and their use recommended. +.Pp +The default is: +.Bd -literal -offset indent +umac-64-etm@openssh.com,umac-128-etm@openssh.com, +hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, +hmac-sha1-etm@openssh.com, +umac-64@openssh.com,umac-128@openssh.com, +hmac-sha2-256,hmac-sha2-512,hmac-sha1 +.Ed +.Pp +The list of available MAC algorithms may also be obtained using +.Qq ssh -Q mac . +.It Cm NoHostAuthenticationForLocalhost +Disable host authentication for localhost (loopback addresses). +The argument to this keyword must be +.Cm yes +or +.Cm no +(the default). +.It Cm NumberOfPasswordPrompts +Specifies the number of password prompts before giving up. +The argument to this keyword must be an integer. +The default is 3. +.It Cm PasswordAuthentication +Specifies whether to use password authentication. +The argument to this keyword must be +.Cm yes +(the default) +or +.Cm no . +.It Cm PermitLocalCommand +Allow local command execution via the +.Ic LocalCommand +option or using the +.Ic !\& Ns Ar command +escape sequence in +.Xr ssh 1 . +The argument must be +.Cm yes +or +.Cm no +(the default). +.It Cm PermitRemoteOpen +Specifies the destinations to which remote TCP port forwarding is permitted when +.Cm RemoteForward +is used as a SOCKS proxy. +The forwarding specification must be one of the following forms: +.Pp +.Bl -item -offset indent -compact +.It +.Cm PermitRemoteOpen +.Sm off +.Ar host : port +.Sm on +.It +.Cm PermitRemoteOpen +.Sm off +.Ar IPv4_addr : port +.Sm on +.It +.Cm PermitRemoteOpen +.Sm off +.Ar \&[ IPv6_addr \&] : port +.Sm on +.El +.Pp +Multiple forwards may be specified by separating them with whitespace. +An argument of +.Cm any +can be used to remove all restrictions and permit any forwarding requests. +An argument of +.Cm none +can be used to prohibit all forwarding requests. +The wildcard +.Sq * +can be used for host or port to allow all hosts or ports respectively. +Otherwise, no pattern matching or address lookups are performed on supplied +names. +.It Cm PKCS11Provider +Specifies which PKCS#11 provider to use or +.Cm none +to indicate that no provider should be used (the default). +The argument to this keyword is a path to the PKCS#11 shared library +.Xr ssh 1 +should use to communicate with a PKCS#11 token providing keys for user +authentication. +.It Cm Port +Specifies the port number to connect on the remote host. +The default is 22. +.It Cm PreferredAuthentications +Specifies the order in which the client should try authentication methods. +This allows a client to prefer one method (e.g.\& +.Cm keyboard-interactive ) +over another method (e.g.\& +.Cm password ) . +The default is: +.Bd -literal -offset indent +gssapi-with-mic,hostbased,publickey, +keyboard-interactive,password +.Ed +.It Cm ProxyCommand +Specifies the command to use to connect to the server. +The command +string extends to the end of the line, and is executed +using the user's shell +.Ql exec +directive to avoid a lingering shell process. +.Pp +Arguments to +.Cm ProxyCommand +accept the tokens described in the +.Sx TOKENS +section. +The command can be basically anything, +and should read from its standard input and write to its standard output. +It should eventually connect an +.Xr sshd 8 +server running on some machine, or execute +.Ic sshd -i +somewhere. +Host key management will be done using the +.Cm Hostname +of the host being connected (defaulting to the name typed by the user). +Setting the command to +.Cm none +disables this option entirely. +Note that +.Cm CheckHostIP +is not available for connects with a proxy command. +.Pp +This directive is useful in conjunction with +.Xr nc 1 +and its proxy support. +For example, the following directive would connect via an HTTP proxy at +192.0.2.0: +.Bd -literal -offset 3n +ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p +.Ed +.It Cm ProxyJump +Specifies one or more jump proxies as either +.Xo +.Sm off +.Op Ar user No @ +.Ar host +.Op : Ns Ar port +.Sm on +or an ssh URI +.Xc . +Multiple proxies may be separated by comma characters and will be visited +sequentially. +Setting this option will cause +.Xr ssh 1 +to connect to the target host by first making a +.Xr ssh 1 +connection to the specified +.Cm ProxyJump +host and then establishing a +TCP forwarding to the ultimate target from there. +Setting the host to +.Cm none +disables this option entirely. +.Pp +Note that this option will compete with the +.Cm ProxyCommand +option - whichever is specified first will prevent later instances of the +other from taking effect. +.Pp +Note also that the configuration for the destination host (either supplied +via the command-line or the configuration file) is not generally applied +to jump hosts. +.Pa ~/.ssh/config +should be used if specific configuration is required for jump hosts. +.It Cm ProxyUseFdpass +Specifies that +.Cm ProxyCommand +will pass a connected file descriptor back to +.Xr ssh 1 +instead of continuing to execute and pass data. +The default is +.Cm no . +.It Cm PubkeyAcceptedAlgorithms +Specifies the signature algorithms that will be used for public key +authentication as a comma-separated list of patterns. +If the specified list begins with a +.Sq + +character, then the algorithms after it will be appended to the default +instead of replacing it. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified algorithms will be placed at the head of the +default set. +The default for this option is: +.Bd -literal -offset 3n +ssh-ed25519-cert-v01@openssh.com, +ecdsa-sha2-nistp256-cert-v01@openssh.com, +ecdsa-sha2-nistp384-cert-v01@openssh.com, +ecdsa-sha2-nistp521-cert-v01@openssh.com, +sk-ssh-ed25519-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, +rsa-sha2-512-cert-v01@openssh.com, +rsa-sha2-256-cert-v01@openssh.com, +ssh-ed25519, +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, +rsa-sha2-512,rsa-sha2-256 +.Ed +.Pp +The list of available signature algorithms may also be obtained using +.Qq ssh -Q PubkeyAcceptedAlgorithms . +.It Cm PubkeyAuthentication +Specifies whether to try public key authentication. +The argument to this keyword must be +.Cm yes +(the default), +.Cm no , +.Cm unbound +or +.Cm host-bound . +The final two options enable public key authentication while respectively +disabling or enabling the OpenSSH host-bound authentication protocol +extension required for restricted +.Xr ssh-agent 1 +forwarding. +.It Cm RekeyLimit +Specifies the maximum amount of data that may be transmitted or received +before the session key is renegotiated, optionally followed by a maximum +amount of time that may pass before the session key is renegotiated. +The first argument is specified in bytes and may have a suffix of +.Sq K , +.Sq M , +or +.Sq G +to indicate Kilobytes, Megabytes, or Gigabytes, respectively. +The default is between +.Sq 1G +and +.Sq 4G , +depending on the cipher. +The optional second value is specified in seconds and may use any of the +units documented in the TIME FORMATS section of +.Xr sshd_config 5 . +The default value for +.Cm RekeyLimit +is +.Cm default none , +which means that rekeying is performed after the cipher's default amount +of data has been sent or received and no time based rekeying is done. +.It Cm RemoteCommand +Specifies a command to execute on the remote machine after successfully +connecting to the server. +The command string extends to the end of the line, and is executed with +the user's shell. +Arguments to +.Cm RemoteCommand +accept the tokens described in the +.Sx TOKENS +section. +.It Cm RemoteForward +Specifies that a TCP port on the remote machine be forwarded over +the secure channel. +The remote port may either be forwarded to a specified host and port +from the local machine, or may act as a SOCKS 4/5 proxy that allows a remote +client to connect to arbitrary destinations from the local machine. +The first argument is the listening specification and may be +.Sm off +.Oo Ar bind_address : Oc Ar port +.Sm on +or, if the remote host supports it, a Unix domain socket path. +If forwarding to a specific destination then the second argument must be +.Ar host : Ns Ar hostport +or a Unix domain socket path, +otherwise if no destination argument is specified then the remote forwarding +will be established as a SOCKS proxy. +When acting as a SOCKS proxy, the destination of the connection can be +restricted by +.Cm PermitRemoteOpen . +.Pp +IPv6 addresses can be specified by enclosing addresses in square brackets. +Multiple forwardings may be specified, and additional +forwardings can be given on the command line. +Privileged ports can be forwarded only when +logging in as root on the remote machine. +Unix domain socket paths may use the tokens described in the +.Sx TOKENS +section and environment variables as described in the +.Sx ENVIRONMENT VARIABLES +section. +.Pp +If the +.Ar port +argument is 0, +the listen port will be dynamically allocated on the server and reported +to the client at run time. +.Pp +If the +.Ar bind_address +is not specified, the default is to only bind to loopback addresses. +If the +.Ar bind_address +is +.Ql * +or an empty string, then the forwarding is requested to listen on all +interfaces. +Specifying a remote +.Ar bind_address +will only succeed if the server's +.Cm GatewayPorts +option is enabled (see +.Xr sshd_config 5 ) . +.It Cm RequestTTY +Specifies whether to request a pseudo-tty for the session. +The argument may be one of: +.Cm no +(never request a TTY), +.Cm yes +(always request a TTY when standard input is a TTY), +.Cm force +(always request a TTY) or +.Cm auto +(request a TTY when opening a login session). +This option mirrors the +.Fl t +and +.Fl T +flags for +.Xr ssh 1 . +.It Cm RequiredRSASize +Specifies the minimum RSA key size (in bits) that +.Xr ssh 1 +will accept. +User authentication keys smaller than this limit will be ignored. +Servers that present host keys smaller than this limit will cause the +connection to be terminated. +The default is +.Cm 1024 +bits. +Note that this limit may only be raised from the default. +.It Cm RevokedHostKeys +Specifies revoked host public keys. +Keys listed in this file will be refused for host authentication. +Note that if this file does not exist or is not readable, +then host authentication will be refused for all hosts. +Keys may be specified as a text file, listing one public key per line, or as +an OpenSSH Key Revocation List (KRL) as generated by +.Xr ssh-keygen 1 . +For more information on KRLs, see the KEY REVOCATION LISTS section in +.Xr ssh-keygen 1 . +.It Cm SecurityKeyProvider +Specifies a path to a library that will be used when loading any +FIDO authenticator-hosted keys, overriding the default of using +the built-in USB HID support. +.Pp +If the specified value begins with a +.Sq $ +character, then it will be treated as an environment variable containing +the path to the library. +.It Cm SendEnv +Specifies what variables from the local +.Xr environ 7 +should be sent to the server. +The server must also support it, and the server must be configured to +accept these environment variables. +Note that the +.Ev TERM +environment variable is always sent whenever a +pseudo-terminal is requested as it is required by the protocol. +Refer to +.Cm AcceptEnv +in +.Xr sshd_config 5 +for how to configure the server. +Variables are specified by name, which may contain wildcard characters. +Multiple environment variables may be separated by whitespace or spread +across multiple +.Cm SendEnv +directives. +.Pp +See +.Sx PATTERNS +for more information on patterns. +.Pp +It is possible to clear previously set +.Cm SendEnv +variable names by prefixing patterns with +.Pa - . +The default is not to send any environment variables. +.It Cm ServerAliveCountMax +Sets the number of server alive messages (see below) which may be +sent without +.Xr ssh 1 +receiving any messages back from the server. +If this threshold is reached while server alive messages are being sent, +ssh will disconnect from the server, terminating the session. +It is important to note that the use of server alive messages is very +different from +.Cm TCPKeepAlive +(below). +The server alive messages are sent through the encrypted channel +and therefore will not be spoofable. +The TCP keepalive option enabled by +.Cm TCPKeepAlive +is spoofable. +The server alive mechanism is valuable when the client or +server depend on knowing when a connection has become unresponsive. +.Pp +The default value is 3. +If, for example, +.Cm ServerAliveInterval +(see below) is set to 15 and +.Cm ServerAliveCountMax +is left at the default, if the server becomes unresponsive, +ssh will disconnect after approximately 45 seconds. +.It Cm ServerAliveInterval +Sets a timeout interval in seconds after which if no data has been received +from the server, +.Xr ssh 1 +will send a message through the encrypted +channel to request a response from the server. +The default +is 0, indicating that these messages will not be sent to the server. +.It Cm SessionType +May be used to either request invocation of a subsystem on the remote system, +or to prevent the execution of a remote command at all. +The latter is useful for just forwarding ports. +The argument to this keyword must be +.Cm none +(same as the +.Fl N +option), +.Cm subsystem +(same as the +.Fl s +option) or +.Cm default +(shell or command execution). +.It Cm SetEnv +Directly specify one or more environment variables and their contents to +be sent to the server. +Similarly to +.Cm SendEnv , +with the exception of the +.Ev TERM +variable, the server must be prepared to accept the environment variable. +.It Cm StdinNull +Redirects stdin from +.Pa /dev/null +(actually, prevents reading from stdin). +Either this or the equivalent +.Fl n +option must be used when +.Nm ssh +is run in the background. +The argument to this keyword must be +.Cm yes +(same as the +.Fl n +option) or +.Cm no +(the default). +.It Cm StreamLocalBindMask +Sets the octal file creation mode mask +.Pq umask +used when creating a Unix-domain socket file for local or remote +port forwarding. +This option is only used for port forwarding to a Unix-domain socket file. +.Pp +The default value is 0177, which creates a Unix-domain socket file that is +readable and writable only by the owner. +Note that not all operating systems honor the file mode on Unix-domain +socket files. +.It Cm StreamLocalBindUnlink +Specifies whether to remove an existing Unix-domain socket file for local +or remote port forwarding before creating a new one. +If the socket file already exists and +.Cm StreamLocalBindUnlink +is not enabled, +.Nm ssh +will be unable to forward the port to the Unix-domain socket file. +This option is only used for port forwarding to a Unix-domain socket file. +.Pp +The argument must be +.Cm yes +or +.Cm no +(the default). +.It Cm StrictHostKeyChecking +If this flag is set to +.Cm yes , +.Xr ssh 1 +will never automatically add host keys to the +.Pa ~/.ssh/known_hosts +file, and refuses to connect to hosts whose host key has changed. +This provides maximum protection against man-in-the-middle (MITM) attacks, +though it can be annoying when the +.Pa /etc/ssh/ssh_known_hosts +file is poorly maintained or when connections to new hosts are +frequently made. +This option forces the user to manually +add all new hosts. +.Pp +If this flag is set to +.Cm accept-new +then ssh will automatically add new host keys to the user's +.Pa known_hosts +file, but will not permit connections to hosts with +changed host keys. +If this flag is set to +.Cm no +or +.Cm off , +ssh will automatically add new host keys to the user known hosts files +and allow connections to hosts with changed hostkeys to proceed, +subject to some restrictions. +If this flag is set to +.Cm ask +(the default), +new host keys +will be added to the user known host files only after the user +has confirmed that is what they really want to do, and +ssh will refuse to connect to hosts whose host key has changed. +The host keys of +known hosts will be verified automatically in all cases. +.It Cm SyslogFacility +Gives the facility code that is used when logging messages from +.Xr ssh 1 . +The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, +LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. +The default is USER. +.It Cm TCPKeepAlive +Specifies whether the system should send TCP keepalive messages to the +other side. +If they are sent, death of the connection or crash of one +of the machines will be properly noticed. +However, this means that +connections will die if the route is down temporarily, and some people +find it annoying. +.Pp +The default is +.Cm yes +(to send TCP keepalive messages), and the client will notice +if the network goes down or the remote host dies. +This is important in scripts, and many users want it too. +.Pp +To disable TCP keepalive messages, the value should be set to +.Cm no . +See also +.Cm ServerAliveInterval +for protocol-level keepalives. +.It Cm Tunnel +Request +.Xr tun 4 +device forwarding between the client and the server. +The argument must be +.Cm yes , +.Cm point-to-point +(layer 3), +.Cm ethernet +(layer 2), +or +.Cm no +(the default). +Specifying +.Cm yes +requests the default tunnel mode, which is +.Cm point-to-point . +.It Cm TunnelDevice +Specifies the +.Xr tun 4 +devices to open on the client +.Pq Ar local_tun +and the server +.Pq Ar remote_tun . +.Pp +The argument must be +.Sm off +.Ar local_tun Op : Ar remote_tun . +.Sm on +The devices may be specified by numerical ID or the keyword +.Cm any , +which uses the next available tunnel device. +If +.Ar remote_tun +is not specified, it defaults to +.Cm any . +The default is +.Cm any:any . +.It Cm UpdateHostKeys +Specifies whether +.Xr ssh 1 +should accept notifications of additional hostkeys from the server sent +after authentication has completed and add them to +.Cm UserKnownHostsFile . +The argument must be +.Cm yes , +.Cm no +or +.Cm ask . +This option allows learning alternate hostkeys for a server +and supports graceful key rotation by allowing a server to send replacement +public keys before old ones are removed. +.Pp +Additional hostkeys are only accepted if the key used to authenticate the +host was already trusted or explicitly accepted by the user, the host was +authenticated via +.Cm UserKnownHostsFile +(i.e. not +.Cm GlobalKnownHostsFile ) +and the host was authenticated using a plain key and not a certificate. +.Pp +.Cm UpdateHostKeys +is enabled by default if the user has not overridden the default +.Cm UserKnownHostsFile +setting and has not enabled +.Cm VerifyHostKeyDNS , +otherwise +.Cm UpdateHostKeys +will be set to +.Cm no . +.Pp +If +.Cm UpdateHostKeys +is set to +.Cm ask , +then the user is asked to confirm the modifications to the known_hosts file. +Confirmation is currently incompatible with +.Cm ControlPersist , +and will be disabled if it is enabled. +.Pp +Presently, only +.Xr sshd 8 +from OpenSSH 6.8 and greater support the +.Qq hostkeys@openssh.com +protocol extension used to inform the client of all the server's hostkeys. +.It Cm User +Specifies the user to log in as. +This can be useful when a different user name is used on different machines. +This saves the trouble of +having to remember to give the user name on the command line. +.It Cm UserKnownHostsFile +Specifies one or more files to use for the user +host key database, separated by whitespace. +Each filename may use tilde notation to refer to the user's home directory, +the tokens described in the +.Sx TOKENS +section and environment variables as described in the +.Sx ENVIRONMENT VARIABLES +section. +A value of +.Cm none +causes +.Xr ssh 1 +to ignore any user-specific known hosts files. +The default is +.Pa ~/.ssh/known_hosts , +.Pa ~/.ssh/known_hosts2 . +.It Cm VerifyHostKeyDNS +Specifies whether to verify the remote key using DNS and SSHFP resource +records. +If this option is set to +.Cm yes , +the client will implicitly trust keys that match a secure fingerprint +from DNS. +Insecure fingerprints will be handled as if this option was set to +.Cm ask . +If this option is set to +.Cm ask , +information on fingerprint match will be displayed, but the user will still +need to confirm new host keys according to the +.Cm StrictHostKeyChecking +option. +The default is +.Cm no . +.Pp +See also +.Sx VERIFYING HOST KEYS +in +.Xr ssh 1 . +.It Cm VisualHostKey +If this flag is set to +.Cm yes , +an ASCII art representation of the remote host key fingerprint is +printed in addition to the fingerprint string at login and +for unknown host keys. +If this flag is set to +.Cm no +(the default), +no fingerprint strings are printed at login and +only the fingerprint string will be printed for unknown host keys. +.It Cm XAuthLocation +Specifies the full pathname of the +.Xr xauth 1 +program. +The default is +.Pa /usr/X11R6/bin/xauth . +.El +.Sh PATTERNS +A +.Em pattern +consists of zero or more non-whitespace characters, +.Sq * +(a wildcard that matches zero or more characters), +or +.Sq ?\& +(a wildcard that matches exactly one character). +For example, to specify a set of declarations for any host in the +.Qq .co.uk +set of domains, +the following pattern could be used: +.Pp +.Dl Host *.co.uk +.Pp +The following pattern +would match any host in the 192.168.0.[0-9] network range: +.Pp +.Dl Host 192.168.0.? +.Pp +A +.Em pattern-list +is a comma-separated list of patterns. +Patterns within pattern-lists may be negated +by preceding them with an exclamation mark +.Pq Sq !\& . +For example, +to allow a key to be used from anywhere within an organization +except from the +.Qq dialup +pool, +the following entry (in authorized_keys) could be used: +.Pp +.Dl from=\&"!*.dialup.example.com,*.example.com\&" +.Pp +Note that a negated match will never produce a positive result by itself. +For example, attempting to match +.Qq host3 +against the following pattern-list will fail: +.Pp +.Dl from=\&"!host1,!host2\&" +.Pp +The solution here is to include a term that will yield a positive match, +such as a wildcard: +.Pp +.Dl from=\&"!host1,!host2,*\&" +.Sh TOKENS +Arguments to some keywords can make use of tokens, +which are expanded at runtime: +.Pp +.Bl -tag -width XXXX -offset indent -compact +.It %% +A literal +.Sq % . +.It \&%C +Hash of %l%h%p%r. +.It %d +Local user's home directory. +.It %f +The fingerprint of the server's host key. +.It %H +The +.Pa known_hosts +hostname or address that is being searched for. +.It %h +The remote hostname. +.It \%%I +A string describing the reason for a +.Cm KnownHostsCommand +execution: either +.Cm ADDRESS +when looking up a host by address (only when +.Cm CheckHostIP +is enabled), +.Cm HOSTNAME +when searching by hostname, or +.Cm ORDER +when preparing the host key algorithm preference list to use for the +destination host. +.It %i +The local user ID. +.It %K +The base64 encoded host key. +.It %k +The host key alias if specified, otherwise the original remote hostname given +on the command line. +.It %L +The local hostname. +.It %l +The local hostname, including the domain name. +.It %n +The original remote hostname, as given on the command line. +.It %p +The remote port. +.It %r +The remote username. +.It \&%T +The local +.Xr tun 4 +or +.Xr tap 4 +network interface assigned if +tunnel forwarding was requested, or +.Qq NONE +otherwise. +.It %t +The type of the server host key, e.g. +.Cm ssh-ed25519 . +.It %u +The local username. +.El +.Pp +.Cm CertificateFile , +.Cm ControlPath , +.Cm IdentityAgent , +.Cm IdentityFile , +.Cm KnownHostsCommand , +.Cm LocalForward , +.Cm Match exec , +.Cm RemoteCommand , +.Cm RemoteForward , +and +.Cm UserKnownHostsFile +accept the tokens %%, %C, %d, %h, %i, %k, %L, %l, %n, %p, %r, and %u. +.Pp +.Cm KnownHostsCommand +additionally accepts the tokens %f, %H, %I, %K and %t. +.Pp +.Cm Hostname +accepts the tokens %% and %h. +.Pp +.Cm LocalCommand +accepts all tokens. +.Pp +.Cm ProxyCommand +and +.Cm ProxyJump +accept the tokens %%, %h, %n, %p, and %r. +.Sh ENVIRONMENT VARIABLES +Arguments to some keywords can be expanded at runtime from environment +variables on the client by enclosing them in +.Ic ${} , +for example +.Ic ${HOME}/.ssh +would refer to the user's .ssh directory. +If a specified environment variable does not exist then an error will be +returned and the setting for that keyword will be ignored. +.Pp +The keywords +.Cm CertificateFile , +.Cm ControlPath , +.Cm IdentityAgent , +.Cm IdentityFile , +.Cm KnownHostsCommand , +and +.Cm UserKnownHostsFile +support environment variables. +The keywords +.Cm LocalForward +and +.Cm RemoteForward +support environment variables only for Unix domain socket paths. +.Sh FILES +.Bl -tag -width Ds +.It Pa ~/.ssh/config +This is the per-user configuration file. +The format of this file is described above. +This file is used by the SSH client. +Because of the potential for abuse, this file must have strict permissions: +read/write for the user, and not writable by others. +.It Pa /etc/ssh/ssh_config +Systemwide configuration file. +This file provides defaults for those +values that are not specified in the user's configuration file, and +for those users who do not have a configuration file. +This file must be world-readable. +.El +.Sh SEE ALSO +.Xr ssh 1 +.Sh AUTHORS +.An -nosplit +OpenSSH is a derivative of the original and free +ssh 1.2.12 release by +.An Tatu Ylonen . +.An Aaron Campbell , Bob Beck , Markus Friedl , +.An Niels Provos , Theo de Raadt +and +.An Dug Song +removed many bugs, re-added newer features and +created OpenSSH. +.An Markus Friedl +contributed the support for SSH protocol versions 1.5 and 2.0. |