aboutsummaryrefslogtreecommitdiff
path: root/ssh_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'ssh_config.5')
-rw-r--r--ssh_config.584
1 files changed, 53 insertions, 31 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 412629637fc5..02a87892d870 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.292 2019/03/01 02:16:47 djm Exp $
-.Dd $Mdocdate: March 1 2019 $
+.\" $OpenBSD: ssh_config.5,v 1.304 2019/09/13 04:52:34 djm Exp $
+.Dd $Mdocdate: September 13 2019 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@@ -361,7 +361,7 @@ Specifies which algorithms are allowed for signing of certificates
by certificate authorities (CAs).
The default is:
.Bd -literal -offset indent
-ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
.Ed
.Pp
@@ -422,14 +422,18 @@ the check will not be executed.
.It Cm Ciphers
Specifies the ciphers allowed and their order of preference.
Multiple ciphers must be comma-separated.
-If the specified value begins with a
+If the specified list begins with a
.Sq +
character, then the specified ciphers will be appended to the default set
instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
.Sq -
character, then the specified ciphers (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified ciphers will be placed at the head of the
+default set.
.Pp
The supported ciphers are:
.Bd -literal -offset indent
@@ -485,8 +489,8 @@ The default is 1.
.It Cm ConnectTimeout
Specifies the timeout (in seconds) used when connecting to the
SSH server, instead of using the default system TCP timeout.
-This value is used only when the target is down or really unreachable,
-not when it refuses the connection.
+This timeout is applied both to establishing the connection and to performing
+the initial SSH protocol handshake and key exchange.
.It Cm ControlMaster
Enables the sharing of multiple sessions over a single network connection.
When set to
@@ -786,14 +790,18 @@ or
.It Cm HostbasedKeyTypes
Specifies the key types that will be used for hostbased authentication
as a comma-separated list of patterns.
-Alternately if the specified value begins with a
+Alternately if the specified list begins with a
.Sq +
character, then the specified key types will be appended to the default set
instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
.Sq -
character, then the specified key types (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -814,14 +822,18 @@ may be used to list supported key types.
.It Cm HostKeyAlgorithms
Specifies the host key algorithms
that the client wants to use in order of preference.
-Alternately if the specified value begins with a
+Alternately if the specified list begins with a
.Sq +
character, then the specified key types will be appended to the default set
instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
.Sq -
character, then the specified key types (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -845,28 +857,28 @@ real host name when looking up or saving the host key
in the host key database files and when validating host certificates.
This option is useful for tunneling SSH connections
or for multiple servers running on a single host.
-.It Cm HostName
+.It Cm Hostname
Specifies the real host name to log into.
This can be used to specify nicknames or abbreviations for hosts.
Arguments to
-.Cm HostName
+.Cm Hostname
accept the tokens described in the
.Sx TOKENS
section.
Numeric IP addresses are also permitted (both on the command line and in
-.Cm HostName
+.Cm Hostname
specifications).
The default is the name given on the command line.
.It Cm IdentitiesOnly
Specifies that
.Xr ssh 1
-should only use the authentication identity and certificate files explicitly
-configured in the
+should only use the configured authentication identity and certificate files
+(either the default files, or those explicitly configured in the
.Nm
files
or passed on the
.Xr ssh 1
-command-line,
+command-line),
even if
.Xr ssh-agent 1
or a
@@ -1043,14 +1055,18 @@ and
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
-Alternately if the specified value begins with a
+If the specified list begins with a
.Sq +
character, then the specified methods will be appended to the default set
instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
.Sq -
character, then the specified methods (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified methods will be placed at the head of the
+default set.
The default is:
.Bd -literal -offset indent
curve25519-sha256,curve25519-sha256@libssh.org,
@@ -1124,14 +1140,18 @@ Specifies the MAC (message authentication code) algorithms
in order of preference.
The MAC algorithm is used for data integrity protection.
Multiple algorithms must be comma-separated.
-If the specified value begins with a
+If the specified list begins with a
.Sq +
character, then the specified algorithms will be appended to the default set
instead of replacing them.
-If the specified value begins with a
+If the specified list begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified algorithms will be placed at the head of the
+default set.
.Pp
The algorithms that contain
.Qq -etm
@@ -1222,8 +1242,8 @@ server running on some machine, or execute
.Ic sshd -i
somewhere.
Host key management will be done using the
-HostName of the host being connected (defaulting to the name typed by
-the user).
+.Cm Hostname
+of the host being connected (defaulting to the name typed by the user).
Setting the command to
.Cm none
disables this option entirely.
@@ -1281,14 +1301,18 @@ The default is
.It Cm PubkeyAcceptedKeyTypes
Specifies the key types that will be used for public key authentication
as a comma-separated list of patterns.
-Alternately if the specified value begins with a
+If the specified list begins with a
.Sq +
character, then the key types after it will be appended to the default
instead of replacing it.
-If the specified value begins with a
+If the specified list begins with a
.Sq -
character, then the specified key types (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -1326,9 +1350,7 @@ and
.Sq 4G ,
depending on the cipher.
The optional second value is specified in seconds and may use any of the
-units documented in the
-.Sx TIME FORMATS
-section of
+units documented in the TIME FORMATS section of
.Xr sshd_config 5 .
The default value for
.Cm RekeyLimit
@@ -1462,7 +1484,7 @@ The TCP keepalive option enabled by
.Cm TCPKeepAlive
is spoofable.
The server alive mechanism is valuable when the client or
-server depend on knowing when a connection has become inactive.
+server depend on knowing when a connection has become unresponsive.
.Pp
The default value is 3.
If, for example,
@@ -1787,7 +1809,7 @@ accepts the tokens %%, %d, %h, %i, %l, %r, and %u.
.Cm ControlPath
accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u.
.Pp
-.Cm HostName
+.Cm Hostname
accepts the tokens %% and %h.
.Pp
.Cm IdentityAgent
@@ -1799,7 +1821,7 @@ accept the tokens %%, %d, %h, %i, %l, %r, and %u.
accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, %T, and %u.
.Pp
.Cm ProxyCommand
-accepts the tokens %%, %h, %p, and %r.
+accepts the tokens %%, %h, %n, %p, and %r.
.Pp
.Cm RemoteCommand
accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, and %u.
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-26 04:28:52 +0000