summaryrefslogtreecommitdiffstats
path: root/ssh_config.0
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-10 19:49:46 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-10 19:49:46 +0000
commit0b6b94e6b6152f15cf4c2247c5974f539aae28cd (patch)
treea7698198a1f527ede17a929af46e456e03d50600 /ssh_config.0
parentInitial commit. (diff)
downloadopenssh-0b6b94e6b6152f15cf4c2247c5974f539aae28cd.tar.xz
openssh-0b6b94e6b6152f15cf4c2247c5974f539aae28cd.zip
Adding upstream version 1:9.6p1.upstream/1%9.6p1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'ssh_config.0')
-rw-r--r--ssh_config.01418
1 files changed, 1418 insertions, 0 deletions
diff --git a/ssh_config.0 b/ssh_config.0
new file mode 100644
index 0000000..053cabc
--- /dev/null
+++ b/ssh_config.0
@@ -0,0 +1,1418 @@
+SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5)
+
+NAME
+ ssh_config M-bM-^@M-^S OpenSSH client configuration file
+
+DESCRIPTION
+ ssh(1) obtains configuration data from the following sources in the
+ following order:
+
+ 1. command-line options
+ 2. user's configuration file (~/.ssh/config)
+ 3. system-wide configuration file (/etc/ssh/ssh_config)
+
+ Unless noted otherwise, for each parameter, the first obtained value will
+ be used. The configuration files contain sections separated by Host
+ specifications, and that section is only applied for hosts that match one
+ of the patterns given in the specification. The matched host name is
+ usually the one given on the command line (see the CanonicalizeHostname
+ option for exceptions).
+
+ Since the first obtained value for each parameter is used, more host-
+ specific declarations should be given near the beginning of the file, and
+ general defaults at the end.
+
+ The file contains keyword-argument pairs, one per line. Lines starting
+ with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are interpreted as comments. Arguments may
+ optionally be enclosed in double quotes (") in order to represent
+ arguments containing spaces. Configuration options may be separated by
+ whitespace or optional whitespace and exactly one M-bM-^@M-^X=M-bM-^@M-^Y; the latter format
+ is useful to avoid the need to quote whitespace when specifying
+ configuration options using the ssh, scp, and sftp -o option.
+
+ The possible keywords and their meanings are as follows (note that
+ keywords are case-insensitive and arguments are case-sensitive):
+
+ Host Restricts the following declarations (up to the next Host or
+ Match keyword) to be only for those hosts that match one of the
+ patterns given after the keyword. If more than one pattern is
+ provided, they should be separated by whitespace. A single M-bM-^@M-^X*M-bM-^@M-^Y
+ as a pattern can be used to provide global defaults for all
+ hosts. The host is usually the hostname argument given on the
+ command line (see the CanonicalizeHostname keyword for
+ exceptions).
+
+ A pattern entry may be negated by prefixing it with an
+ exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). If a negated entry is matched, then the
+ Host entry is ignored, regardless of whether any other patterns
+ on the line match. Negated matches are therefore useful to
+ provide exceptions for wildcard matches.
+
+ See PATTERNS for more information on patterns.
+
+ Match Restricts the following declarations (up to the next Host or
+ Match keyword) to be used only when the conditions following the
+ Match keyword are satisfied. Match conditions are specified
+ using one or more criteria or the single token all which always
+ matches. The available criteria keywords are: canonical, final,
+ exec, localnetwork, host, originalhost, Tag, user, and localuser.
+ The all criteria must appear alone or immediately after canonical
+ or final. Other criteria may be combined arbitrarily. All
+ criteria but all, canonical, and final require an argument.
+ Criteria may be negated by prepending an exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y).
+
+ The canonical keyword matches only when the configuration file is
+ being re-parsed after hostname canonicalization (see the
+ CanonicalizeHostname option). This may be useful to specify
+ conditions that work with canonical host names only.
+
+ The final keyword requests that the configuration be re-parsed
+ (regardless of whether CanonicalizeHostname is enabled), and
+ matches only during this final pass. If CanonicalizeHostname is
+ enabled, then canonical and final match during the same pass.
+
+ The exec keyword executes the specified command under the user's
+ shell. If the command returns a zero exit status then the
+ condition is considered true. Commands containing whitespace
+ characters must be quoted. Arguments to exec accept the tokens
+ described in the TOKENS section.
+
+ The localnetwork keyword matches the addresses of active local
+ network interfaces against the supplied list of networks in CIDR
+ format. This may be convenient for varying the effective
+ configuration on devices that roam between networks. Note that
+ network address is not a trustworthy criteria in many situations
+ (e.g. when the network is automatically configured using DHCP)
+ and so caution should be applied if using it to control security-
+ sensitive configuration.
+
+ The other keywords' criteria must be single entries or comma-
+ separated lists and may use the wildcard and negation operators
+ described in the PATTERNS section. The criteria for the host
+ keyword are matched against the target hostname, after any
+ substitution by the Hostname or CanonicalizeHostname options.
+ The originalhost keyword matches against the hostname as it was
+ specified on the command-line. The tagged keyword matches a tag
+ name specified by a prior Tag directive or on the ssh(1) command-
+ line using the -P flag. The user keyword matches against the
+ target username on the remote host. The localuser keyword
+ matches against the name of the local user running ssh(1) (this
+ keyword may be useful in system-wide ssh_config files).
+
+ AddKeysToAgent
+ Specifies whether keys should be automatically added to a running
+ ssh-agent(1). If this option is set to yes and a key is loaded
+ from a file, the key and its passphrase are added to the agent
+ with the default lifetime, as if by ssh-add(1). If this option
+ is set to ask, ssh(1) will require confirmation using the
+ SSH_ASKPASS program before adding a key (see ssh-add(1) for
+ details). If this option is set to confirm, each use of the key
+ must be confirmed, as if the -c option was specified to
+ ssh-add(1). If this option is set to no, no keys are added to
+ the agent. Alternately, this option may be specified as a time
+ interval using the format described in the TIME FORMATS section
+ of sshd_config(5) to specify the key's lifetime in ssh-agent(1),
+ after which it will automatically be removed. The argument must
+ be no (the default), yes, confirm (optionally followed by a time
+ interval), ask or a time interval.
+
+ AddressFamily
+ Specifies which address family to use when connecting. Valid
+ arguments are any (the default), inet (use IPv4 only), or inet6
+ (use IPv6 only).
+
+ BatchMode
+ If set to yes, user interaction such as password prompts and host
+ key confirmation requests will be disabled. This option is
+ useful in scripts and other batch jobs where no user is present
+ to interact with ssh(1). The argument must be yes or no (the
+ default).
+
+ BindAddress
+ Use the specified address on the local machine as the source
+ address of the connection. Only useful on systems with more than
+ one address.
+
+ BindInterface
+ Use the address of the specified interface on the local machine
+ as the source address of the connection.
+
+ CanonicalDomains
+ When CanonicalizeHostname is enabled, this option specifies the
+ list of domain suffixes in which to search for the specified
+ destination host.
+
+ CanonicalizeFallbackLocal
+ Specifies whether to fail with an error when hostname
+ canonicalization fails. The default, yes, will attempt to look
+ up the unqualified hostname using the system resolver's search
+ rules. A value of no will cause ssh(1) to fail instantly if
+ CanonicalizeHostname is enabled and the target hostname cannot be
+ found in any of the domains specified by CanonicalDomains.
+
+ CanonicalizeHostname
+ Controls whether explicit hostname canonicalization is performed.
+ The default, no, is not to perform any name rewriting and let the
+ system resolver handle all hostname lookups. If set to yes then,
+ for connections that do not use a ProxyCommand or ProxyJump,
+ ssh(1) will attempt to canonicalize the hostname specified on the
+ command line using the CanonicalDomains suffixes and
+ CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is
+ set to always, then canonicalization is applied to proxied
+ connections too.
+
+ If this option is enabled, then the configuration files are
+ processed again using the new target name to pick up any new
+ configuration in matching Host and Match stanzas. A value of
+ none disables the use of a ProxyJump host.
+
+ CanonicalizeMaxDots
+ Specifies the maximum number of dot characters in a hostname
+ before canonicalization is disabled. The default, 1, allows a
+ single dot (i.e. hostname.subdomain).
+
+ CanonicalizePermittedCNAMEs
+ Specifies rules to determine whether CNAMEs should be followed
+ when canonicalizing hostnames. The rules consist of one or more
+ arguments of source_domain_list:target_domain_list, where
+ source_domain_list is a pattern-list of domains that may follow
+ CNAMEs in canonicalization, and target_domain_list is a pattern-
+ list of domains that they may resolve to.
+
+ For example, "*.a.example.com:*.b.example.com,*.c.example.com"
+ will allow hostnames matching "*.a.example.com" to be
+ canonicalized to names in the "*.b.example.com" or
+ "*.c.example.com" domains.
+
+ A single argument of "none" causes no CNAMEs to be considered for
+ canonicalization. This is the default behaviour.
+
+ CASignatureAlgorithms
+ Specifies which algorithms are allowed for signing of
+ certificates by certificate authorities (CAs). The default is:
+
+ ssh-ed25519,ecdsa-sha2-nistp256,
+ ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ sk-ssh-ed25519@openssh.com,
+ sk-ecdsa-sha2-nistp256@openssh.com,
+ rsa-sha2-512,rsa-sha2-256
+
+ If the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the
+ specified algorithms will be appended to the default set instead
+ of replacing them. If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y
+ character, then the specified algorithms (including wildcards)
+ will be removed from the default set instead of replacing them.
+
+ ssh(1) will not accept host certificates signed using algorithms
+ other than those specified.
+
+ CertificateFile
+ Specifies a file from which the user's certificate is read. A
+ corresponding private key must be provided separately in order to
+ use this certificate either from an IdentityFile directive or -i
+ flag to ssh(1), via ssh-agent(1), or via a PKCS11Provider or
+ SecurityKeyProvider.
+
+ Arguments to CertificateFile may use the tilde syntax to refer to
+ a user's home directory, the tokens described in the TOKENS
+ section and environment variables as described in the ENVIRONMENT
+ VARIABLES section.
+
+ It is possible to have multiple certificate files specified in
+ configuration files; these certificates will be tried in
+ sequence. Multiple CertificateFile directives will add to the
+ list of certificates used for authentication.
+
+ ChannelTimeout
+ Specifies whether and how quickly ssh(1) should close inactive
+ channels. Timeouts are specified as one or more M-bM-^@M-^\type=intervalM-bM-^@M-^]
+ pairs separated by whitespace, where the M-bM-^@M-^\typeM-bM-^@M-^] must be a channel
+ type name (as described in the table below), optionally
+ containing wildcard characters.
+
+ The timeout value M-bM-^@M-^\intervalM-bM-^@M-^] is specified in seconds or may use
+ any of the units documented in the TIME FORMATS section. For
+ example, M-bM-^@M-^\session=5mM-bM-^@M-^] would cause the interactive session to
+ terminate after five minutes of inactivity. Specifying a zero
+ value disables the inactivity timeout.
+
+ The available channel types include:
+
+ agent-connection
+ Open connections to ssh-agent(1).
+
+ direct-tcpip, direct-streamlocal@openssh.com
+ Open TCP or Unix socket (respectively) connections that
+ have been established from a ssh(1) local forwarding,
+ i.e. LocalForward or DynamicForward.
+
+ forwarded-tcpip, forwarded-streamlocal@openssh.com
+ Open TCP or Unix socket (respectively) connections that
+ have been established to a sshd(8) listening on behalf of
+ a ssh(1) remote forwarding, i.e. RemoteForward.
+
+ session
+ The interactive main session, including shell session,
+ command execution, scp(1), sftp(1), etc.
+
+ tun-connection
+ Open TunnelForward connections.
+
+ x11-connection
+ Open X11 forwarding sessions.
+
+ Note that in all the above cases, terminating an inactive session
+ does not guarantee to remove all resources associated with the
+ session, e.g. shell processes or X11 clients relating to the
+ session may continue to execute.
+
+ Moreover, terminating an inactive channel or session does not
+ necessarily close the SSH connection, nor does it prevent a
+ client from requesting another channel of the same type. In
+ particular, expiring an inactive forwarding session does not
+ prevent another identical forwarding from being subsequently
+ created.
+
+ The default is not to expire channels of any type for inactivity.
+
+ CheckHostIP
+ If set to yes, ssh(1) will additionally check the host IP address
+ in the known_hosts file. This allows it to detect if a host key
+ changed due to DNS spoofing and will add addresses of destination
+ hosts to ~/.ssh/known_hosts in the process, regardless of the
+ setting of StrictHostKeyChecking. If the option is set to no
+ (the default), the check will not be executed.
+
+ Ciphers
+ Specifies the ciphers allowed and their order of preference.
+ Multiple ciphers must be comma-separated. If the specified list
+ begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified ciphers will be
+ appended to the default set instead of replacing them. If the
+ specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified
+ ciphers (including wildcards) will be removed from the default
+ set instead of replacing them. If the specified list begins with
+ a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified ciphers will be placed at the
+ head of the default set.
+
+ The supported ciphers are:
+
+ 3des-cbc
+ aes128-cbc
+ aes192-cbc
+ aes256-cbc
+ aes128-ctr
+ aes192-ctr
+ aes256-ctr
+ aes128-gcm@openssh.com
+ aes256-gcm@openssh.com
+ chacha20-poly1305@openssh.com
+
+ The default is:
+
+ chacha20-poly1305@openssh.com,
+ aes128-ctr,aes192-ctr,aes256-ctr,
+ aes128-gcm@openssh.com,aes256-gcm@openssh.com
+
+ The list of available ciphers may also be obtained using "ssh -Q
+ cipher".
+
+ ClearAllForwardings
+ Specifies that all local, remote, and dynamic port forwardings
+ specified in the configuration files or on the command line be
+ cleared. This option is primarily useful when used from the
+ ssh(1) command line to clear port forwardings set in
+ configuration files, and is automatically set by scp(1) and
+ sftp(1). The argument must be yes or no (the default).
+
+ Compression
+ Specifies whether to use compression. The argument must be yes
+ or no (the default).
+
+ ConnectionAttempts
+ Specifies the number of tries (one per second) to make before
+ exiting. The argument must be an integer. This may be useful in
+ scripts if the connection sometimes fails. The default is 1.
+
+ ConnectTimeout
+ Specifies the timeout (in seconds) used when connecting to the
+ SSH server, instead of using the default system TCP timeout.
+ This timeout is applied both to establishing the connection and
+ to performing the initial SSH protocol handshake and key
+ exchange.
+
+ ControlMaster
+ Enables the sharing of multiple sessions over a single network
+ connection. When set to yes, ssh(1) will listen for connections
+ on a control socket specified using the ControlPath argument.
+ Additional sessions can connect to this socket using the same
+ ControlPath with ControlMaster set to no (the default). These
+ sessions will try to reuse the master instance's network
+ connection rather than initiating new ones, but will fall back to
+ connecting normally if the control socket does not exist, or is
+ not listening.
+
+ Setting this to ask will cause ssh(1) to listen for control
+ connections, but require confirmation using ssh-askpass(1). If
+ the ControlPath cannot be opened, ssh(1) will continue without
+ connecting to a master instance.
+
+ X11 and ssh-agent(1) forwarding is supported over these
+ multiplexed connections, however the display and agent forwarded
+ will be the one belonging to the master connection i.e. it is not
+ possible to forward multiple displays or agents.
+
+ Two additional options allow for opportunistic multiplexing: try
+ to use a master connection but fall back to creating a new one if
+ one does not already exist. These options are: auto and autoask.
+ The latter requires confirmation like the ask option.
+
+ ControlPath
+ Specify the path to the control socket used for connection
+ sharing as described in the ControlMaster section above or the
+ string none to disable connection sharing. Arguments to
+ ControlPath may use the tilde syntax to refer to a user's home
+ directory, the tokens described in the TOKENS section and
+ environment variables as described in the ENVIRONMENT VARIABLES
+ section. It is recommended that any ControlPath used for
+ opportunistic connection sharing include at least %h, %p, and %r
+ (or alternatively %C) and be placed in a directory that is not
+ writable by other users. This ensures that shared connections
+ are uniquely identified.
+
+ ControlPersist
+ When used in conjunction with ControlMaster, specifies that the
+ master connection should remain open in the background (waiting
+ for future client connections) after the initial client
+ connection has been closed. If set to no (the default), then the
+ master connection will not be placed into the background, and
+ will close as soon as the initial client connection is closed.
+ If set to yes or 0, then the master connection will remain in the
+ background indefinitely (until killed or closed via a mechanism
+ such as the "ssh -O exit"). If set to a time in seconds, or a
+ time in any of the formats documented in sshd_config(5), then the
+ backgrounded master connection will automatically terminate after
+ it has remained idle (with no client connections) for the
+ specified time.
+
+ DynamicForward
+ Specifies that a TCP port on the local machine be forwarded over
+ the secure channel, and the application protocol is then used to
+ determine where to connect to from the remote machine.
+
+ The argument must be [bind_address:]port. IPv6 addresses can be
+ specified by enclosing addresses in square brackets. By default,
+ the local port is bound in accordance with the GatewayPorts
+ setting. However, an explicit bind_address may be used to bind
+ the connection to a specific address. The bind_address of
+ localhost indicates that the listening port be bound for local
+ use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port
+ should be available from all interfaces.
+
+ Currently the SOCKS4 and SOCKS5 protocols are supported, and
+ ssh(1) will act as a SOCKS server. Multiple forwardings may be
+ specified, and additional forwardings can be given on the command
+ line. Only the superuser can forward privileged ports.
+
+ EnableEscapeCommandline
+ Enables the command line option in the EscapeChar menu for
+ interactive sessions (default M-bM-^@M-^X~CM-bM-^@M-^Y). By default, the command
+ line is disabled.
+
+ EnableSSHKeysign
+ Setting this option to yes in the global client configuration
+ file /etc/ssh/ssh_config enables the use of the helper program
+ ssh-keysign(8) during HostbasedAuthentication. The argument must
+ be yes or no (the default). This option should be placed in the
+ non-hostspecific section. See ssh-keysign(8) for more
+ information.
+
+ EscapeChar
+ Sets the escape character (default: M-bM-^@M-^X~M-bM-^@M-^Y). The escape character
+ can also be set on the command line. The argument should be a
+ single character, M-bM-^@M-^X^M-bM-^@M-^Y followed by a letter, or none to disable
+ the escape character entirely (making the connection transparent
+ for binary data).
+
+ ExitOnForwardFailure
+ Specifies whether ssh(1) should terminate the connection if it
+ cannot set up all requested dynamic, tunnel, local, and remote
+ port forwardings, (e.g. if either end is unable to bind and
+ listen on a specified port). Note that ExitOnForwardFailure does
+ not apply to connections made over port forwardings and will not,
+ for example, cause ssh(1) to exit if TCP connections to the
+ ultimate forwarding destination fail. The argument must be yes
+ or no (the default).
+
+ FingerprintHash
+ Specifies the hash algorithm used when displaying key
+ fingerprints. Valid options are: md5 and sha256 (the default).
+
+ ForkAfterAuthentication
+ Requests ssh to go to background just before command execution.
+ This is useful if ssh is going to ask for passwords or
+ passphrases, but the user wants it in the background. This
+ implies the StdinNull configuration option being set to M-bM-^@M-^\yesM-bM-^@M-^].
+ The recommended way to start X11 programs at a remote site is
+ with something like ssh -f host xterm, which is the same as ssh
+ host xterm if the ForkAfterAuthentication configuration option is
+ set to M-bM-^@M-^\yesM-bM-^@M-^].
+
+ If the ExitOnForwardFailure configuration option is set to M-bM-^@M-^\yesM-bM-^@M-^],
+ then a client started with the ForkAfterAuthentication
+ configuration option being set to M-bM-^@M-^\yesM-bM-^@M-^] will wait for all remote
+ port forwards to be successfully established before placing
+ itself in the background. The argument to this keyword must be
+ yes (same as the -f option) or no (the default).
+
+ ForwardAgent
+ Specifies whether the connection to the authentication agent (if
+ any) will be forwarded to the remote machine. The argument may
+ be yes, no (the default), an explicit path to an agent socket or
+ the name of an environment variable (beginning with M-bM-^@M-^X$M-bM-^@M-^Y) in which
+ to find the path.
+
+ Agent forwarding should be enabled with caution. Users with the
+ ability to bypass file permissions on the remote host (for the
+ agent's Unix-domain socket) can access the local agent through
+ the forwarded connection. An attacker cannot obtain key material
+ from the agent, however they can perform operations on the keys
+ that enable them to authenticate using the identities loaded into
+ the agent.
+
+ ForwardX11
+ Specifies whether X11 connections will be automatically
+ redirected over the secure channel and DISPLAY set. The argument
+ must be yes or no (the default).
+
+ X11 forwarding should be enabled with caution. Users with the
+ ability to bypass file permissions on the remote host (for the
+ user's X11 authorization database) can access the local X11
+ display through the forwarded connection. An attacker may then
+ be able to perform activities such as keystroke monitoring if the
+ ForwardX11Trusted option is also enabled.
+
+ ForwardX11Timeout
+ Specify a timeout for untrusted X11 forwarding using the format
+ described in the TIME FORMATS section of sshd_config(5). X11
+ connections received by ssh(1) after this time will be refused.
+ Setting ForwardX11Timeout to zero will disable the timeout and
+ permit X11 forwarding for the life of the connection. The
+ default is to disable untrusted X11 forwarding after twenty
+ minutes has elapsed.
+
+ ForwardX11Trusted
+ If this option is set to yes, remote X11 clients will have full
+ access to the original X11 display.
+
+ If this option is set to no (the default), remote X11 clients
+ will be considered untrusted and prevented from stealing or
+ tampering with data belonging to trusted X11 clients.
+ Furthermore, the xauth(1) token used for the session will be set
+ to expire after 20 minutes. Remote clients will be refused
+ access after this time.
+
+ See the X11 SECURITY extension specification for full details on
+ the restrictions imposed on untrusted clients.
+
+ GatewayPorts
+ Specifies whether remote hosts are allowed to connect to local
+ forwarded ports. By default, ssh(1) binds local port forwardings
+ to the loopback address. This prevents other remote hosts from
+ connecting to forwarded ports. GatewayPorts can be used to
+ specify that ssh should bind local port forwardings to the
+ wildcard address, thus allowing remote hosts to connect to
+ forwarded ports. The argument must be yes or no (the default).
+
+ GlobalKnownHostsFile
+ Specifies one or more files to use for the global host key
+ database, separated by whitespace. The default is
+ /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2.
+
+ GSSAPIAuthentication
+ Specifies whether user authentication based on GSSAPI is allowed.
+ The default is no.
+
+ GSSAPIDelegateCredentials
+ Forward (delegate) credentials to the server. The default is no.
+
+ HashKnownHosts
+ Indicates that ssh(1) should hash host names and addresses when
+ they are added to ~/.ssh/known_hosts. These hashed names may be
+ used normally by ssh(1) and sshd(8), but they do not visually
+ reveal identifying information if the file's contents are
+ disclosed. The default is no. Note that existing names and
+ addresses in known hosts files will not be converted
+ automatically, but may be manually hashed using ssh-keygen(1).
+
+ HostbasedAcceptedAlgorithms
+ Specifies the signature algorithms that will be used for
+ hostbased authentication as a comma-separated list of patterns.
+ Alternately if the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character,
+ then the specified signature algorithms will be appended to the
+ default set instead of replacing them. If the specified list
+ begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified signature
+ algorithms (including wildcards) will be removed from the default
+ set instead of replacing them. If the specified list begins with
+ a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified signature algorithms will be
+ placed at the head of the default set. The default for this
+ option is:
+
+ ssh-ed25519-cert-v01@openssh.com,
+ ecdsa-sha2-nistp256-cert-v01@openssh.com,
+ ecdsa-sha2-nistp384-cert-v01@openssh.com,
+ ecdsa-sha2-nistp521-cert-v01@openssh.com,
+ sk-ssh-ed25519-cert-v01@openssh.com,
+ sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+ rsa-sha2-512-cert-v01@openssh.com,
+ rsa-sha2-256-cert-v01@openssh.com,
+ ssh-ed25519,
+ ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ sk-ssh-ed25519@openssh.com,
+ sk-ecdsa-sha2-nistp256@openssh.com,
+ rsa-sha2-512,rsa-sha2-256
+
+ The -Q option of ssh(1) may be used to list supported signature
+ algorithms. This was formerly named HostbasedKeyTypes.
+
+ HostbasedAuthentication
+ Specifies whether to try rhosts based authentication with public
+ key authentication. The argument must be yes or no (the
+ default).
+
+ HostKeyAlgorithms
+ Specifies the host key signature algorithms that the client wants
+ to use in order of preference. Alternately if the specified list
+ begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified signature
+ algorithms will be appended to the default set instead of
+ replacing them. If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y
+ character, then the specified signature algorithms (including
+ wildcards) will be removed from the default set instead of
+ replacing them. If the specified list begins with a M-bM-^@M-^X^M-bM-^@M-^Y
+ character, then the specified signature algorithms will be placed
+ at the head of the default set. The default for this option is:
+
+ ssh-ed25519-cert-v01@openssh.com,
+ ecdsa-sha2-nistp256-cert-v01@openssh.com,
+ ecdsa-sha2-nistp384-cert-v01@openssh.com,
+ ecdsa-sha2-nistp521-cert-v01@openssh.com,
+ sk-ssh-ed25519-cert-v01@openssh.com,
+ sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+ rsa-sha2-512-cert-v01@openssh.com,
+ rsa-sha2-256-cert-v01@openssh.com,
+ ssh-ed25519,
+ ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ sk-ecdsa-sha2-nistp256@openssh.com,
+ sk-ssh-ed25519@openssh.com,
+ rsa-sha2-512,rsa-sha2-256
+
+ If hostkeys are known for the destination host then this default
+ is modified to prefer their algorithms.
+
+ The list of available signature algorithms may also be obtained
+ using "ssh -Q HostKeyAlgorithms".
+
+ HostKeyAlias
+ Specifies an alias that should be used instead of the real host
+ name when looking up or saving the host key in the host key
+ database files and when validating host certificates. This
+ option is useful for tunneling SSH connections or for multiple
+ servers running on a single host.
+
+ Hostname
+ Specifies the real host name to log into. This can be used to
+ specify nicknames or abbreviations for hosts. Arguments to
+ Hostname accept the tokens described in the TOKENS section.
+ Numeric IP addresses are also permitted (both on the command line
+ and in Hostname specifications). The default is the name given
+ on the command line.
+
+ IdentitiesOnly
+ Specifies that ssh(1) should only use the configured
+ authentication identity and certificate files (either the default
+ files, or those explicitly configured in the ssh_config files or
+ passed on the ssh(1) command-line), even if ssh-agent(1) or a
+ PKCS11Provider or SecurityKeyProvider offers more identities.
+ The argument to this keyword must be yes or no (the default).
+ This option is intended for situations where ssh-agent offers
+ many different identities.
+
+ IdentityAgent
+ Specifies the UNIX-domain socket used to communicate with the
+ authentication agent.
+
+ This option overrides the SSH_AUTH_SOCK environment variable and
+ can be used to select a specific agent. Setting the socket name
+ to none disables the use of an authentication agent. If the
+ string "SSH_AUTH_SOCK" is specified, the location of the socket
+ will be read from the SSH_AUTH_SOCK environment variable.
+ Otherwise if the specified value begins with a M-bM-^@M-^X$M-bM-^@M-^Y character,
+ then it will be treated as an environment variable containing the
+ location of the socket.
+
+ Arguments to IdentityAgent may use the tilde syntax to refer to a
+ user's home directory, the tokens described in the TOKENS section
+ and environment variables as described in the ENVIRONMENT
+ VARIABLES section.
+
+ IdentityFile
+ Specifies a file from which the user's DSA, ECDSA, authenticator-
+ hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA
+ authentication identity is read. You can also specify a public
+ key file to use the corresponding private key that is loaded in
+ ssh-agent(1) when the private key file is not present locally.
+ The default is ~/.ssh/id_rsa, ~/.ssh/id_ecdsa,
+ ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, ~/.ssh/id_ed25519_sk and
+ ~/.ssh/id_dsa. Additionally, any identities represented by the
+ authentication agent will be used for authentication unless
+ IdentitiesOnly is set. If no certificates have been explicitly
+ specified by CertificateFile, ssh(1) will try to load certificate
+ information from the filename obtained by appending -cert.pub to
+ the path of a specified IdentityFile.
+
+ Arguments to IdentityFile may use the tilde syntax to refer to a
+ user's home directory or the tokens described in the TOKENS
+ section. Alternately an argument of none may be used to indicate
+ no identity files should be loaded.
+
+ It is possible to have multiple identity files specified in
+ configuration files; all these identities will be tried in
+ sequence. Multiple IdentityFile directives will add to the list
+ of identities tried (this behaviour differs from that of other
+ configuration directives).
+
+ IdentityFile may be used in conjunction with IdentitiesOnly to
+ select which identities in an agent are offered during
+ authentication. IdentityFile may also be used in conjunction
+ with CertificateFile in order to provide any certificate also
+ needed for authentication with the identity.
+
+ IgnoreUnknown
+ Specifies a pattern-list of unknown options to be ignored if they
+ are encountered in configuration parsing. This may be used to
+ suppress errors if ssh_config contains options that are
+ unrecognised by ssh(1). It is recommended that IgnoreUnknown be
+ listed early in the configuration file as it will not be applied
+ to unknown options that appear before it.
+
+ Include
+ Include the specified configuration file(s). Multiple pathnames
+ may be specified and each pathname may contain glob(7) wildcards
+ and, for user configurations, shell-like M-bM-^@M-^X~M-bM-^@M-^Y references to user
+ home directories. Wildcards will be expanded and processed in
+ lexical order. Files without absolute paths are assumed to be in
+ ~/.ssh if included in a user configuration file or /etc/ssh if
+ included from the system configuration file. Include directive
+ may appear inside a Match or Host block to perform conditional
+ inclusion.
+
+ IPQoS Specifies the IPv4 type-of-service or DSCP class for connections.
+ Accepted values are af11, af12, af13, af21, af22, af23, af31,
+ af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, cs4, cs5, cs6,
+ cs7, ef, le, lowdelay, throughput, reliability, a numeric value,
+ or none to use the operating system default. This option may
+ take one or two arguments, separated by whitespace. If one
+ argument is specified, it is used as the packet class
+ unconditionally. If two values are specified, the first is
+ automatically selected for interactive sessions and the second
+ for non-interactive sessions. The default is af21 (Low-Latency
+ Data) for interactive sessions and cs1 (Lower Effort) for non-
+ interactive sessions.
+
+ KbdInteractiveAuthentication
+ Specifies whether to use keyboard-interactive authentication.
+ The argument to this keyword must be yes (the default) or no.
+ ChallengeResponseAuthentication is a deprecated alias for this.
+
+ KbdInteractiveDevices
+ Specifies the list of methods to use in keyboard-interactive
+ authentication. Multiple method names must be comma-separated.
+ The default is to use the server specified list. The methods
+ available vary depending on what the server supports. For an
+ OpenSSH server, it may be zero or more of: bsdauth and pam.
+
+ KexAlgorithms
+ Specifies the available KEX (Key Exchange) algorithms. Multiple
+ algorithms must be comma-separated. If the specified list begins
+ with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified algorithms will be
+ appended to the default set instead of replacing them. If the
+ specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified
+ algorithms (including wildcards) will be removed from the default
+ set instead of replacing them. If the specified list begins with
+ a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified algorithms will be placed at
+ the head of the default set. The default is:
+
+ sntrup761x25519-sha512@openssh.com,
+ curve25519-sha256,curve25519-sha256@libssh.org,
+ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+ diffie-hellman-group-exchange-sha256,
+ diffie-hellman-group16-sha512,
+ diffie-hellman-group18-sha512,
+ diffie-hellman-group14-sha256
+
+ The list of available key exchange algorithms may also be
+ obtained using "ssh -Q kex".
+
+ KnownHostsCommand
+ Specifies a command to use to obtain a list of host keys, in
+ addition to those listed in UserKnownHostsFile and
+ GlobalKnownHostsFile. This command is executed after the files
+ have been read. It may write host key lines to standard output
+ in identical format to the usual files (described in the
+ VERIFYING HOST KEYS section in ssh(1)). Arguments to
+ KnownHostsCommand accept the tokens described in the TOKENS
+ section. The command may be invoked multiple times per
+ connection: once when preparing the preference list of host key
+ algorithms to use, again to obtain the host key for the requested
+ host name and, if CheckHostIP is enabled, one more time to obtain
+ the host key matching the server's address. If the command exits
+ abnormally or returns a non-zero exit status then the connection
+ is terminated.
+
+ LocalCommand
+ Specifies a command to execute on the local machine after
+ successfully connecting to the server. The command string
+ extends to the end of the line, and is executed with the user's
+ shell. Arguments to LocalCommand accept the tokens described in
+ the TOKENS section.
+
+ The command is run synchronously and does not have access to the
+ session of the ssh(1) that spawned it. It should not be used for
+ interactive commands.
+
+ This directive is ignored unless PermitLocalCommand has been
+ enabled.
+
+ LocalForward
+ Specifies that a TCP port on the local machine be forwarded over
+ the secure channel to the specified host and port from the remote
+ machine. The first argument specifies the listener and may be
+ [bind_address:]port or a Unix domain socket path. The second
+ argument is the destination and may be host:hostport or a Unix
+ domain socket path if the remote host supports it.
+
+ IPv6 addresses can be specified by enclosing addresses in square
+ brackets. Multiple forwardings may be specified, and additional
+ forwardings can be given on the command line. Only the superuser
+ can forward privileged ports. By default, the local port is
+ bound in accordance with the GatewayPorts setting. However, an
+ explicit bind_address may be used to bind the connection to a
+ specific address. The bind_address of localhost indicates that
+ the listening port be bound for local use only, while an empty
+ address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port should be available from
+ all interfaces. Unix domain socket paths may use the tokens
+ described in the TOKENS section and environment variables as
+ described in the ENVIRONMENT VARIABLES section.
+
+ LogLevel
+ Gives the verbosity level that is used when logging messages from
+ ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO,
+ VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.
+ DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
+ higher levels of verbose output.
+
+ LogVerbose
+ Specify one or more overrides to LogLevel. An override consists
+ of a pattern lists that matches the source file, function and
+ line number to force detailed logging for. For example, an
+ override pattern of:
+
+ kex.c:*:1000,*:kex_exchange_identification():*,packet.c:*
+
+ would enable detailed logging for line 1000 of kex.c, everything
+ in the kex_exchange_identification() function, and all code in
+ the packet.c file. This option is intended for debugging and no
+ overrides are enabled by default.
+
+ MACs Specifies the MAC (message authentication code) algorithms in
+ order of preference. The MAC algorithm is used for data
+ integrity protection. Multiple algorithms must be comma-
+ separated. If the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character,
+ then the specified algorithms will be appended to the default set
+ instead of replacing them. If the specified list begins with a
+ M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified algorithms (including
+ wildcards) will be removed from the default set instead of
+ replacing them. If the specified list begins with a M-bM-^@M-^X^M-bM-^@M-^Y
+ character, then the specified algorithms will be placed at the
+ head of the default set.
+
+ The algorithms that contain "-etm" calculate the MAC after
+ encryption (encrypt-then-mac). These are considered safer and
+ their use recommended.
+
+ The default is:
+
+ umac-64-etm@openssh.com,umac-128-etm@openssh.com,
+ hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+ hmac-sha1-etm@openssh.com,
+ umac-64@openssh.com,umac-128@openssh.com,
+ hmac-sha2-256,hmac-sha2-512,hmac-sha1
+
+ The list of available MAC algorithms may also be obtained using
+ "ssh -Q mac".
+
+ NoHostAuthenticationForLocalhost
+ Disable host authentication for localhost (loopback addresses).
+ The argument to this keyword must be yes or no (the default).
+
+ NumberOfPasswordPrompts
+ Specifies the number of password prompts before giving up. The
+ argument to this keyword must be an integer. The default is 3.
+
+ ObscureKeystrokeTiming
+ Specifies whether ssh(1) should try to obscure inter-keystroke
+ timings from passive observers of network traffic. If enabled,
+ then for interactive sessions, ssh(1) will send keystrokes at
+ fixed intervals of a few tens of milliseconds and will send fake
+ keystroke packets for some time after typing ceases. The
+ argument to this keyword must be yes, no or an interval specifier
+ of the form interval:milliseconds (e.g. interval:80 for 80
+ milliseconds). The default is to obscure keystrokes using a 20ms
+ packet interval. Note that smaller intervals will result in
+ higher fake keystroke packet rates.
+
+ PasswordAuthentication
+ Specifies whether to use password authentication. The argument
+ to this keyword must be yes (the default) or no.
+
+ PermitLocalCommand
+ Allow local command execution via the LocalCommand option or
+ using the !command escape sequence in ssh(1). The argument must
+ be yes or no (the default).
+
+ PermitRemoteOpen
+ Specifies the destinations to which remote TCP port forwarding is
+ permitted when RemoteForward is used as a SOCKS proxy. The
+ forwarding specification must be one of the following forms:
+
+ PermitRemoteOpen host:port
+ PermitRemoteOpen IPv4_addr:port
+ PermitRemoteOpen [IPv6_addr]:port
+
+ Multiple forwards may be specified by separating them with
+ whitespace. An argument of any can be used to remove all
+ restrictions and permit any forwarding requests. An argument of
+ none can be used to prohibit all forwarding requests. The
+ wildcard M-bM-^@M-^X*M-bM-^@M-^Y can be used for host or port to allow all hosts or
+ ports respectively. Otherwise, no pattern matching or address
+ lookups are performed on supplied names.
+
+ PKCS11Provider
+ Specifies which PKCS#11 provider to use or none to indicate that
+ no provider should be used (the default). The argument to this
+ keyword is a path to the PKCS#11 shared library ssh(1) should use
+ to communicate with a PKCS#11 token providing keys for user
+ authentication.
+
+ Port Specifies the port number to connect on the remote host. The
+ default is 22.
+
+ PreferredAuthentications
+ Specifies the order in which the client should try authentication
+ methods. This allows a client to prefer one method (e.g.
+ keyboard-interactive) over another method (e.g. password). The
+ default is:
+
+ gssapi-with-mic,hostbased,publickey,
+ keyboard-interactive,password
+
+ ProxyCommand
+ Specifies the command to use to connect to the server. The
+ command string extends to the end of the line, and is executed
+ using the user's shell M-bM-^@M-^XexecM-bM-^@M-^Y directive to avoid a lingering
+ shell process.
+
+ Arguments to ProxyCommand accept the tokens described in the
+ TOKENS section. The command can be basically anything, and
+ should read from its standard input and write to its standard
+ output. It should eventually connect an sshd(8) server running
+ on some machine, or execute sshd -i somewhere. Host key
+ management will be done using the Hostname of the host being
+ connected (defaulting to the name typed by the user). Setting
+ the command to none disables this option entirely. Note that
+ CheckHostIP is not available for connects with a proxy command.
+
+ This directive is useful in conjunction with nc(1) and its proxy
+ support. For example, the following directive would connect via
+ an HTTP proxy at 192.0.2.0:
+
+ ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
+
+ ProxyJump
+ Specifies one or more jump proxies as either [user@]host[:port]
+ or an ssh URI. Multiple proxies may be separated by comma
+ characters and will be visited sequentially. Setting this option
+ will cause ssh(1) to connect to the target host by first making a
+ ssh(1) connection to the specified ProxyJump host and then
+ establishing a TCP forwarding to the ultimate target from there.
+ Setting the host to none disables this option entirely.
+
+ Note that this option will compete with the ProxyCommand option -
+ whichever is specified first will prevent later instances of the
+ other from taking effect.
+
+ Note also that the configuration for the destination host (either
+ supplied via the command-line or the configuration file) is not
+ generally applied to jump hosts. ~/.ssh/config should be used if
+ specific configuration is required for jump hosts.
+
+ ProxyUseFdpass
+ Specifies that ProxyCommand will pass a connected file descriptor
+ back to ssh(1) instead of continuing to execute and pass data.
+ The default is no.
+
+ PubkeyAcceptedAlgorithms
+ Specifies the signature algorithms that will be used for public
+ key authentication as a comma-separated list of patterns. If the
+ specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the algorithms
+ after it will be appended to the default instead of replacing it.
+ If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the
+ specified algorithms (including wildcards) will be removed from
+ the default set instead of replacing them. If the specified list
+ begins with a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified algorithms will
+ be placed at the head of the default set. The default for this
+ option is:
+
+ ssh-ed25519-cert-v01@openssh.com,
+ ecdsa-sha2-nistp256-cert-v01@openssh.com,
+ ecdsa-sha2-nistp384-cert-v01@openssh.com,
+ ecdsa-sha2-nistp521-cert-v01@openssh.com,
+ sk-ssh-ed25519-cert-v01@openssh.com,
+ sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+ rsa-sha2-512-cert-v01@openssh.com,
+ rsa-sha2-256-cert-v01@openssh.com,
+ ssh-ed25519,
+ ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ sk-ssh-ed25519@openssh.com,
+ sk-ecdsa-sha2-nistp256@openssh.com,
+ rsa-sha2-512,rsa-sha2-256
+
+ The list of available signature algorithms may also be obtained
+ using "ssh -Q PubkeyAcceptedAlgorithms".
+
+ PubkeyAuthentication
+ Specifies whether to try public key authentication. The argument
+ to this keyword must be yes (the default), no, unbound or
+ host-bound. The final two options enable public key
+ authentication while respectively disabling or enabling the
+ OpenSSH host-bound authentication protocol extension required for
+ restricted ssh-agent(1) forwarding.
+
+ RekeyLimit
+ Specifies the maximum amount of data that may be transmitted or
+ received before the session key is renegotiated, optionally
+ followed by a maximum amount of time that may pass before the
+ session key is renegotiated. The first argument is specified in
+ bytes and may have a suffix of M-bM-^@M-^XKM-bM-^@M-^Y, M-bM-^@M-^XMM-bM-^@M-^Y, or M-bM-^@M-^XGM-bM-^@M-^Y to indicate
+ Kilobytes, Megabytes, or Gigabytes, respectively. The default is
+ between M-bM-^@M-^X1GM-bM-^@M-^Y and M-bM-^@M-^X4GM-bM-^@M-^Y, depending on the cipher. The optional
+ second value is specified in seconds and may use any of the units
+ documented in the TIME FORMATS section of sshd_config(5). The
+ default value for RekeyLimit is default none, which means that
+ rekeying is performed after the cipher's default amount of data
+ has been sent or received and no time based rekeying is done.
+
+ RemoteCommand
+ Specifies a command to execute on the remote machine after
+ successfully connecting to the server. The command string
+ extends to the end of the line, and is executed with the user's
+ shell. Arguments to RemoteCommand accept the tokens described in
+ the TOKENS section.
+
+ RemoteForward
+ Specifies that a TCP port on the remote machine be forwarded over
+ the secure channel. The remote port may either be forwarded to a
+ specified host and port from the local machine, or may act as a
+ SOCKS 4/5 proxy that allows a remote client to connect to
+ arbitrary destinations from the local machine. The first
+ argument is the listening specification and may be
+ [bind_address:]port or, if the remote host supports it, a Unix
+ domain socket path. If forwarding to a specific destination then
+ the second argument must be host:hostport or a Unix domain socket
+ path, otherwise if no destination argument is specified then the
+ remote forwarding will be established as a SOCKS proxy. When
+ acting as a SOCKS proxy, the destination of the connection can be
+ restricted by PermitRemoteOpen.
+
+ IPv6 addresses can be specified by enclosing addresses in square
+ brackets. Multiple forwardings may be specified, and additional
+ forwardings can be given on the command line. Privileged ports
+ can be forwarded only when logging in as root on the remote
+ machine. Unix domain socket paths may use the tokens described
+ in the TOKENS section and environment variables as described in
+ the ENVIRONMENT VARIABLES section.
+
+ If the port argument is 0, the listen port will be dynamically
+ allocated on the server and reported to the client at run time.
+
+ If the bind_address is not specified, the default is to only bind
+ to loopback addresses. If the bind_address is M-bM-^@M-^X*M-bM-^@M-^Y or an empty
+ string, then the forwarding is requested to listen on all
+ interfaces. Specifying a remote bind_address will only succeed
+ if the server's GatewayPorts option is enabled (see
+ sshd_config(5)).
+
+ RequestTTY
+ Specifies whether to request a pseudo-tty for the session. The
+ argument may be one of: no (never request a TTY), yes (always
+ request a TTY when standard input is a TTY), force (always
+ request a TTY) or auto (request a TTY when opening a login
+ session). This option mirrors the -t and -T flags for ssh(1).
+
+ RequiredRSASize
+ Specifies the minimum RSA key size (in bits) that ssh(1) will
+ accept. User authentication keys smaller than this limit will be
+ ignored. Servers that present host keys smaller than this limit
+ will cause the connection to be terminated. The default is 1024
+ bits. Note that this limit may only be raised from the default.
+
+ RevokedHostKeys
+ Specifies revoked host public keys. Keys listed in this file
+ will be refused for host authentication. Note that if this file
+ does not exist or is not readable, then host authentication will
+ be refused for all hosts. Keys may be specified as a text file,
+ listing one public key per line, or as an OpenSSH Key Revocation
+ List (KRL) as generated by ssh-keygen(1). For more information
+ on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1).
+ Arguments to RevokedHostKeys may use the tilde syntax to refer to
+ a user's home directory, the tokens described in the TOKENS
+ section and environment variables as described in the ENVIRONMENT
+ VARIABLES section.
+
+ SecurityKeyProvider
+ Specifies a path to a library that will be used when loading any
+ FIDO authenticator-hosted keys, overriding the default of using
+ the built-in USB HID support.
+
+ If the specified value begins with a M-bM-^@M-^X$M-bM-^@M-^Y character, then it will
+ be treated as an environment variable containing the path to the
+ library.
+
+ SendEnv
+ Specifies what variables from the local environ(7) should be sent
+ to the server. The server must also support it, and the server
+ must be configured to accept these environment variables. Note
+ that the TERM environment variable is always sent whenever a
+ pseudo-terminal is requested as it is required by the protocol.
+ Refer to AcceptEnv in sshd_config(5) for how to configure the
+ server. Variables are specified by name, which may contain
+ wildcard characters. Multiple environment variables may be
+ separated by whitespace or spread across multiple SendEnv
+ directives.
+
+ See PATTERNS for more information on patterns.
+
+ It is possible to clear previously set SendEnv variable names by
+ prefixing patterns with -. The default is not to send any
+ environment variables.
+
+ ServerAliveCountMax
+ Sets the number of server alive messages (see below) which may be
+ sent without ssh(1) receiving any messages back from the server.
+ If this threshold is reached while server alive messages are
+ being sent, ssh will disconnect from the server, terminating the
+ session. It is important to note that the use of server alive
+ messages is very different from TCPKeepAlive (below). The server
+ alive messages are sent through the encrypted channel and
+ therefore will not be spoofable. The TCP keepalive option
+ enabled by TCPKeepAlive is spoofable. The server alive mechanism
+ is valuable when the client or server depend on knowing when a
+ connection has become unresponsive.
+
+ The default value is 3. If, for example, ServerAliveInterval
+ (see below) is set to 15 and ServerAliveCountMax is left at the
+ default, if the server becomes unresponsive, ssh will disconnect
+ after approximately 45 seconds.
+
+ ServerAliveInterval
+ Sets a timeout interval in seconds after which if no data has
+ been received from the server, ssh(1) will send a message through
+ the encrypted channel to request a response from the server. The
+ default is 0, indicating that these messages will not be sent to
+ the server.
+
+ SessionType
+ May be used to either request invocation of a subsystem on the
+ remote system, or to prevent the execution of a remote command at
+ all. The latter is useful for just forwarding ports. The
+ argument to this keyword must be none (same as the -N option),
+ subsystem (same as the -s option) or default (shell or command
+ execution).
+
+ SetEnv Directly specify one or more environment variables and their
+ contents to be sent to the server. Similarly to SendEnv, with
+ the exception of the TERM variable, the server must be prepared
+ to accept the environment variable.
+
+ StdinNull
+ Redirects stdin from /dev/null (actually, prevents reading from
+ stdin). Either this or the equivalent -n option must be used
+ when ssh is run in the background. The argument to this keyword
+ must be yes (same as the -n option) or no (the default).
+
+ StreamLocalBindMask
+ Sets the octal file creation mode mask (umask) used when creating
+ a Unix-domain socket file for local or remote port forwarding.
+ This option is only used for port forwarding to a Unix-domain
+ socket file.
+
+ The default value is 0177, which creates a Unix-domain socket
+ file that is readable and writable only by the owner. Note that
+ not all operating systems honor the file mode on Unix-domain
+ socket files.
+
+ StreamLocalBindUnlink
+ Specifies whether to remove an existing Unix-domain socket file
+ for local or remote port forwarding before creating a new one.
+ If the socket file already exists and StreamLocalBindUnlink is
+ not enabled, ssh will be unable to forward the port to the Unix-
+ domain socket file. This option is only used for port forwarding
+ to a Unix-domain socket file.
+
+ The argument must be yes or no (the default).
+
+ StrictHostKeyChecking
+ If this flag is set to yes, ssh(1) will never automatically add
+ host keys to the ~/.ssh/known_hosts file, and refuses to connect
+ to hosts whose host key has changed. This provides maximum
+ protection against man-in-the-middle (MITM) attacks, though it
+ can be annoying when the /etc/ssh/ssh_known_hosts file is poorly
+ maintained or when connections to new hosts are frequently made.
+ This option forces the user to manually add all new hosts.
+
+ If this flag is set to accept-new then ssh will automatically add
+ new host keys to the user's known_hosts file, but will not permit
+ connections to hosts with changed host keys. If this flag is set
+ to no or off, ssh will automatically add new host keys to the
+ user known hosts files and allow connections to hosts with
+ changed hostkeys to proceed, subject to some restrictions. If
+ this flag is set to ask (the default), new host keys will be
+ added to the user known host files only after the user has
+ confirmed that is what they really want to do, and ssh will
+ refuse to connect to hosts whose host key has changed. The host
+ keys of known hosts will be verified automatically in all cases.
+
+ SyslogFacility
+ Gives the facility code that is used when logging messages from
+ ssh(1). The possible values are: DAEMON, USER, AUTH, LOCAL0,
+ LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
+ default is USER.
+
+ TCPKeepAlive
+ Specifies whether the system should send TCP keepalive messages
+ to the other side. If they are sent, death of the connection or
+ crash of one of the machines will be properly noticed. However,
+ this means that connections will die if the route is down
+ temporarily, and some people find it annoying.
+
+ The default is yes (to send TCP keepalive messages), and the
+ client will notice if the network goes down or the remote host
+ dies. This is important in scripts, and many users want it too.
+
+ To disable TCP keepalive messages, the value should be set to no.
+ See also ServerAliveInterval for protocol-level keepalives.
+
+ Tag Specify a configuration tag name that may be later used by a
+ Match directive to select a block of configuration.
+
+ Tunnel Request tun(4) device forwarding between the client and the
+ server. The argument must be yes, point-to-point (layer 3),
+ ethernet (layer 2), or no (the default). Specifying yes requests
+ the default tunnel mode, which is point-to-point.
+
+ TunnelDevice
+ Specifies the tun(4) devices to open on the client (local_tun)
+ and the server (remote_tun).
+
+ The argument must be local_tun[:remote_tun]. The devices may be
+ specified by numerical ID or the keyword any, which uses the next
+ available tunnel device. If remote_tun is not specified, it
+ defaults to any. The default is any:any.
+
+ UpdateHostKeys
+ Specifies whether ssh(1) should accept notifications of
+ additional hostkeys from the server sent after authentication has
+ completed and add them to UserKnownHostsFile. The argument must
+ be yes, no or ask. This option allows learning alternate
+ hostkeys for a server and supports graceful key rotation by
+ allowing a server to send replacement public keys before old ones
+ are removed.
+
+ Additional hostkeys are only accepted if the key used to
+ authenticate the host was already trusted or explicitly accepted
+ by the user, the host was authenticated via UserKnownHostsFile
+ (i.e. not GlobalKnownHostsFile) and the host was authenticated
+ using a plain key and not a certificate.
+
+ UpdateHostKeys is enabled by default if the user has not
+ overridden the default UserKnownHostsFile setting and has not
+ enabled VerifyHostKeyDNS, otherwise UpdateHostKeys will be set to
+ no.
+
+ If UpdateHostKeys is set to ask, then the user is asked to
+ confirm the modifications to the known_hosts file. Confirmation
+ is currently incompatible with ControlPersist, and will be
+ disabled if it is enabled.
+
+ Presently, only sshd(8) from OpenSSH 6.8 and greater support the
+ "hostkeys@openssh.com" protocol extension used to inform the
+ client of all the server's hostkeys.
+
+ User Specifies the user to log in as. This can be useful when a
+ different user name is used on different machines. This saves
+ the trouble of having to remember to give the user name on the
+ command line.
+
+ UserKnownHostsFile
+ Specifies one or more files to use for the user host key
+ database, separated by whitespace. Each filename may use tilde
+ notation to refer to the user's home directory, the tokens
+ described in the TOKENS section and environment variables as
+ described in the ENVIRONMENT VARIABLES section. A value of none
+ causes ssh(1) to ignore any user-specific known hosts files. The
+ default is ~/.ssh/known_hosts, ~/.ssh/known_hosts2.
+
+ VerifyHostKeyDNS
+ Specifies whether to verify the remote key using DNS and SSHFP
+ resource records. If this option is set to yes, the client will
+ implicitly trust keys that match a secure fingerprint from DNS.
+ Insecure fingerprints will be handled as if this option was set
+ to ask. If this option is set to ask, information on fingerprint
+ match will be displayed, but the user will still need to confirm
+ new host keys according to the StrictHostKeyChecking option. The
+ default is no.
+
+ See also VERIFYING HOST KEYS in ssh(1).
+
+ VisualHostKey
+ If this flag is set to yes, an ASCII art representation of the
+ remote host key fingerprint is printed in addition to the
+ fingerprint string at login and for unknown host keys. If this
+ flag is set to no (the default), no fingerprint strings are
+ printed at login and only the fingerprint string will be printed
+ for unknown host keys.
+
+ XAuthLocation
+ Specifies the full pathname of the xauth(1) program. The default
+ is /usr/X11R6/bin/xauth.
+
+PATTERNS
+ A pattern consists of zero or more non-whitespace characters, M-bM-^@M-^X*M-bM-^@M-^Y (a
+ wildcard that matches zero or more characters), or M-bM-^@M-^X?M-bM-^@M-^Y (a wildcard that
+ matches exactly one character). For example, to specify a set of
+ declarations for any host in the ".co.uk" set of domains, the following
+ pattern could be used:
+
+ Host *.co.uk
+
+ The following pattern would match any host in the 192.168.0.[0-9] network
+ range:
+
+ Host 192.168.0.?
+
+ A pattern-list is a comma-separated list of patterns. Patterns within
+ pattern-lists may be negated by preceding them with an exclamation mark
+ (M-bM-^@M-^X!M-bM-^@M-^Y). For example, to allow a key to be used from anywhere within an
+ organization except from the "dialup" pool, the following entry (in
+ authorized_keys) could be used:
+
+ from="!*.dialup.example.com,*.example.com"
+
+ Note that a negated match will never produce a positive result by itself.
+ For example, attempting to match "host3" against the following pattern-
+ list will fail:
+
+ from="!host1,!host2"
+
+ The solution here is to include a term that will yield a positive match,
+ such as a wildcard:
+
+ from="!host1,!host2,*"
+
+TOKENS
+ Arguments to some keywords can make use of tokens, which are expanded at
+ runtime:
+
+ %% A literal M-bM-^@M-^X%M-bM-^@M-^Y.
+ %C Hash of %l%h%p%r%j.
+ %d Local user's home directory.
+ %f The fingerprint of the server's host key.
+ %H The known_hosts hostname or address that is being searched
+ for.
+ %h The remote hostname.
+ %I A string describing the reason for a KnownHostsCommand
+ execution: either ADDRESS when looking up a host by address
+ (only when CheckHostIP is enabled), HOSTNAME when searching
+ by hostname, or ORDER when preparing the host key algorithm
+ preference list to use for the destination host.
+ %i The local user ID.
+ %j The contents of the ProxyJump option, or the empty string if
+ this option is unset.
+ %K The base64 encoded host key.
+ %k The host key alias if specified, otherwise the original
+ remote hostname given on the command line.
+ %L The local hostname.
+ %l The local hostname, including the domain name.
+ %n The original remote hostname, as given on the command line.
+ %p The remote port.
+ %r The remote username.
+ %T The local tun(4) or tap(4) network interface assigned if
+ tunnel forwarding was requested, or "NONE" otherwise.
+ %t The type of the server host key, e.g. ssh-ed25519.
+ %u The local username.
+
+ CertificateFile, ControlPath, IdentityAgent, IdentityFile,
+ KnownHostsCommand, LocalForward, Match exec, RemoteCommand,
+ RemoteForward, RevokedHostKeys, and UserKnownHostsFile accept the tokens
+ %%, %C, %d, %h, %i, %j, %k, %L, %l, %n, %p, %r, and %u.
+
+ KnownHostsCommand additionally accepts the tokens %f, %H, %I, %K and %t.
+
+ Hostname accepts the tokens %% and %h.
+
+ LocalCommand accepts all tokens.
+
+ ProxyCommand and ProxyJump accept the tokens %%, %h, %n, %p, and %r.
+
+ Note that some of these directives build commands for execution via the
+ shell. Because ssh(1) performs no filtering or escaping of characters
+ that have special meaning in shell commands (e.g. quotes), it is the
+ user's responsibility to ensure that the arguments passed to ssh(1) do
+ not contain such characters and that tokens are appropriately quoted when
+ used.
+
+ENVIRONMENT VARIABLES
+ Arguments to some keywords can be expanded at runtime from environment
+ variables on the client by enclosing them in ${}, for example
+ ${HOME}/.ssh would refer to the user's .ssh directory. If a specified
+ environment variable does not exist then an error will be returned and
+ the setting for that keyword will be ignored.
+
+ The keywords CertificateFile, ControlPath, IdentityAgent, IdentityFile,
+ KnownHostsCommand, and UserKnownHostsFile support environment variables.
+ The keywords LocalForward and RemoteForward support environment variables
+ only for Unix domain socket paths.
+
+FILES
+ ~/.ssh/config
+ This is the per-user configuration file. The format of this file
+ is described above. This file is used by the SSH client.
+ Because of the potential for abuse, this file must have strict
+ permissions: read/write for the user, and not writable by others.
+
+ /etc/ssh/ssh_config
+ Systemwide configuration file. This file provides defaults for
+ those values that are not specified in the user's configuration
+ file, and for those users who do not have a configuration file.
+ This file must be world-readable.
+
+SEE ALSO
+ ssh(1)
+
+AUTHORS
+ OpenSSH is a derivative of the original and free ssh 1.2.12 release by
+ Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
+ de Raadt and Dug Song removed many bugs, re-added newer features and
+ created OpenSSH. Markus Friedl contributed the support for SSH protocol
+ versions 1.5 and 2.0.
+
+OpenBSD 7.3 October 12, 2023 OpenBSD 7.3