diff options
Diffstat (limited to 'ssh_config.0')
-rw-r--r-- | ssh_config.0 | 1431 |
1 files changed, 1431 insertions, 0 deletions
diff --git a/ssh_config.0 b/ssh_config.0 new file mode 100644 index 00000000..ef6c0936 --- /dev/null +++ b/ssh_config.0 @@ -0,0 +1,1431 @@ +SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5) + +NAME + ssh_config M-bM-^@M-^S OpenSSH client configuration file + +DESCRIPTION + ssh(1) obtains configuration data from the following sources in the + following order: + + 1. command-line options + 2. user's configuration file (~/.ssh/config) + 3. system-wide configuration file (/etc/ssh/ssh_config) + + Unless noted otherwise, for each parameter, the first obtained value will + be used. The configuration files contain sections separated by Host + specifications, and that section is only applied for hosts that match one + of the patterns given in the specification. The matched host name is + usually the one given on the command line (see the CanonicalizeHostname + option for exceptions). + + Since the first obtained value for each parameter is used, more host- + specific declarations should be given near the beginning of the file, and + general defaults at the end. + + The file contains keyword-argument pairs, one per line. Lines starting + with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are interpreted as comments. Arguments may + optionally be enclosed in double quotes (") in order to represent + arguments containing spaces. Configuration options may be separated by + whitespace or optional whitespace and exactly one M-bM-^@M-^X=M-bM-^@M-^Y; the latter format + is useful to avoid the need to quote whitespace when specifying + configuration options using the ssh, scp, and sftp -o option. + + The possible keywords and their meanings are as follows (note that + keywords are case-insensitive and arguments are case-sensitive): + + Host Restricts the following declarations (up to the next Host or + Match keyword) to be only for those hosts that match one of the + patterns given after the keyword. If more than one pattern is + provided, they should be separated by whitespace. A single M-bM-^@M-^X*M-bM-^@M-^Y + as a pattern can be used to provide global defaults for all + hosts. The host is usually the hostname argument given on the + command line (see the CanonicalizeHostname keyword for + exceptions). + + A pattern entry may be negated by prefixing it with an + exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). If a negated entry is matched, then the + Host entry is ignored, regardless of whether any other patterns + on the line match. Negated matches are therefore useful to + provide exceptions for wildcard matches. + + See PATTERNS for more information on patterns. + + Match Restricts the following declarations (up to the next Host or + Match keyword) to be used only when the conditions following the + Match keyword are satisfied. Match conditions are specified + using one or more criteria or the single token all which always + matches. The available criteria keywords are: canonical, final, + exec, localnetwork, host, originalhost, tagged, user, and + localuser. The all criteria must appear alone or immediately + after canonical or final. Other criteria may be combined + arbitrarily. All criteria but all, canonical, and final require + an argument. Criteria may be negated by prepending an + exclamation mark (M-bM-^@M-^X!M-bM-^@M-^Y). + + The canonical keyword matches only when the configuration file is + being re-parsed after hostname canonicalization (see the + CanonicalizeHostname option). This may be useful to specify + conditions that work with canonical host names only. + + The final keyword requests that the configuration be re-parsed + (regardless of whether CanonicalizeHostname is enabled), and + matches only during this final pass. If CanonicalizeHostname is + enabled, then canonical and final match during the same pass. + + The exec keyword executes the specified command under the user's + shell. If the command returns a zero exit status then the + condition is considered true. Commands containing whitespace + characters must be quoted. Arguments to exec accept the tokens + described in the TOKENS section. + + The localnetwork keyword matches the addresses of active local + network interfaces against the supplied list of networks in CIDR + format. This may be convenient for varying the effective + configuration on devices that roam between networks. Note that + network address is not a trustworthy criteria in many situations + (e.g. when the network is automatically configured using DHCP) + and so caution should be applied if using it to control security- + sensitive configuration. + + The other keywords' criteria must be single entries or comma- + separated lists and may use the wildcard and negation operators + described in the PATTERNS section. The criteria for the host + keyword are matched against the target hostname, after any + substitution by the Hostname or CanonicalizeHostname options. + The originalhost keyword matches against the hostname as it was + specified on the command-line. The tagged keyword matches a tag + name specified by a prior Tag directive or on the ssh(1) command- + line using the -P flag. The user keyword matches against the + target username on the remote host. The localuser keyword + matches against the name of the local user running ssh(1) (this + keyword may be useful in system-wide ssh_config files). + + AddKeysToAgent + Specifies whether keys should be automatically added to a running + ssh-agent(1). If this option is set to yes and a key is loaded + from a file, the key and its passphrase are added to the agent + with the default lifetime, as if by ssh-add(1). If this option + is set to ask, ssh(1) will require confirmation using the + SSH_ASKPASS program before adding a key (see ssh-add(1) for + details). If this option is set to confirm, each use of the key + must be confirmed, as if the -c option was specified to + ssh-add(1). If this option is set to no, no keys are added to + the agent. Alternately, this option may be specified as a time + interval using the format described in the TIME FORMATS section + of sshd_config(5) to specify the key's lifetime in ssh-agent(1), + after which it will automatically be removed. The argument must + be no (the default), yes, confirm (optionally followed by a time + interval), ask or a time interval. + + AddressFamily + Specifies which address family to use when connecting. Valid + arguments are any (the default), inet (use IPv4 only), or inet6 + (use IPv6 only). + + BatchMode + If set to yes, user interaction such as password prompts and host + key confirmation requests will be disabled. This option is + useful in scripts and other batch jobs where no user is present + to interact with ssh(1). The argument must be yes or no (the + default). + + BindAddress + Use the specified address on the local machine as the source + address of the connection. Only useful on systems with more than + one address. + + BindInterface + Use the address of the specified interface on the local machine + as the source address of the connection. + + CanonicalDomains + When CanonicalizeHostname is enabled, this option specifies the + list of domain suffixes in which to search for the specified + destination host. + + CanonicalizeFallbackLocal + Specifies whether to fail with an error when hostname + canonicalization fails. The default, yes, will attempt to look + up the unqualified hostname using the system resolver's search + rules. A value of no will cause ssh(1) to fail instantly if + CanonicalizeHostname is enabled and the target hostname cannot be + found in any of the domains specified by CanonicalDomains. + + CanonicalizeHostname + Controls whether explicit hostname canonicalization is performed. + The default, no, is not to perform any name rewriting and let the + system resolver handle all hostname lookups. If set to yes then, + for connections that do not use a ProxyCommand or ProxyJump, + ssh(1) will attempt to canonicalize the hostname specified on the + command line using the CanonicalDomains suffixes and + CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is + set to always, then canonicalization is applied to proxied + connections too. + + If this option is enabled, then the configuration files are + processed again using the new target name to pick up any new + configuration in matching Host and Match stanzas. A value of + none disables the use of a ProxyJump host. + + CanonicalizeMaxDots + Specifies the maximum number of dot characters in a hostname + before canonicalization is disabled. The default, 1, allows a + single dot (i.e. hostname.subdomain). + + CanonicalizePermittedCNAMEs + Specifies rules to determine whether CNAMEs should be followed + when canonicalizing hostnames. The rules consist of one or more + arguments of source_domain_list:target_domain_list, where + source_domain_list is a pattern-list of domains that may follow + CNAMEs in canonicalization, and target_domain_list is a pattern- + list of domains that they may resolve to. + + For example, "*.a.example.com:*.b.example.com,*.c.example.com" + will allow hostnames matching "*.a.example.com" to be + canonicalized to names in the "*.b.example.com" or + "*.c.example.com" domains. + + A single argument of "none" causes no CNAMEs to be considered for + canonicalization. This is the default behaviour. + + CASignatureAlgorithms + Specifies which algorithms are allowed for signing of + certificates by certificate authorities (CAs). The default is: + + ssh-ed25519,ecdsa-sha2-nistp256, + ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, + sk-ssh-ed25519@openssh.com, + sk-ecdsa-sha2-nistp256@openssh.com, + rsa-sha2-512,rsa-sha2-256 + + If the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the + specified algorithms will be appended to the default set instead + of replacing them. If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y + character, then the specified algorithms (including wildcards) + will be removed from the default set instead of replacing them. + + ssh(1) will not accept host certificates signed using algorithms + other than those specified. + + CertificateFile + Specifies a file from which the user's certificate is read. A + corresponding private key must be provided separately in order to + use this certificate either from an IdentityFile directive or -i + flag to ssh(1), via ssh-agent(1), or via a PKCS11Provider or + SecurityKeyProvider. + + Arguments to CertificateFile may use the tilde syntax to refer to + a user's home directory, the tokens described in the TOKENS + section and environment variables as described in the ENVIRONMENT + VARIABLES section. + + It is possible to have multiple certificate files specified in + configuration files; these certificates will be tried in + sequence. Multiple CertificateFile directives will add to the + list of certificates used for authentication. + + ChannelTimeout + Specifies whether and how quickly ssh(1) should close inactive + channels. Timeouts are specified as one or more M-bM-^@M-^\type=intervalM-bM-^@M-^] + pairs separated by whitespace, where the M-bM-^@M-^\typeM-bM-^@M-^] must be the + special keyword M-bM-^@M-^\globalM-bM-^@M-^] or a channel type name from the list + below, optionally containing wildcard characters. + + The timeout value M-bM-^@M-^\intervalM-bM-^@M-^] is specified in seconds or may use + any of the units documented in the TIME FORMATS section. For + example, M-bM-^@M-^\session=5mM-bM-^@M-^] would cause interactive sessions to + terminate after five minutes of inactivity. Specifying a zero + value disables the inactivity timeout. + + The special timeout M-bM-^@M-^\globalM-bM-^@M-^] applies to all active channels, + taken together. Traffic on any active channel will reset the + timeout, but when the timeout expires then all open channels will + be closed. Note that this global timeout is not matched by + wildcards and must be specified explicitly. + + The available channel type names include: + + agent-connection + Open connections to ssh-agent(1). + + direct-tcpip, direct-streamlocal@openssh.com + Open TCP or Unix socket (respectively) connections that + have been established from a ssh(1) local forwarding, + i.e. LocalForward or DynamicForward. + + forwarded-tcpip, forwarded-streamlocal@openssh.com + Open TCP or Unix socket (respectively) connections that + have been established to a sshd(8) listening on behalf of + a ssh(1) remote forwarding, i.e. RemoteForward. + + session + The interactive main session, including shell session, + command execution, scp(1), sftp(1), etc. + + tun-connection + Open TunnelForward connections. + + x11-connection + Open X11 forwarding sessions. + + Note that in all the above cases, terminating an inactive session + does not guarantee to remove all resources associated with the + session, e.g. shell processes or X11 clients relating to the + session may continue to execute. + + Moreover, terminating an inactive channel or session does not + necessarily close the SSH connection, nor does it prevent a + client from requesting another channel of the same type. In + particular, expiring an inactive forwarding session does not + prevent another identical forwarding from being subsequently + created. + + The default is not to expire channels of any type for inactivity. + + CheckHostIP + If set to yes, ssh(1) will additionally check the host IP address + in the known_hosts file. This allows it to detect if a host key + changed due to DNS spoofing and will add addresses of destination + hosts to ~/.ssh/known_hosts in the process, regardless of the + setting of StrictHostKeyChecking. If the option is set to no + (the default), the check will not be executed. + + Ciphers + Specifies the ciphers allowed and their order of preference. + Multiple ciphers must be comma-separated. If the specified list + begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified ciphers will be + appended to the default set instead of replacing them. If the + specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified + ciphers (including wildcards) will be removed from the default + set instead of replacing them. If the specified list begins with + a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified ciphers will be placed at the + head of the default set. + + The supported ciphers are: + + 3des-cbc + aes128-cbc + aes192-cbc + aes256-cbc + aes128-ctr + aes192-ctr + aes256-ctr + aes128-gcm@openssh.com + aes256-gcm@openssh.com + chacha20-poly1305@openssh.com + + The default is: + + chacha20-poly1305@openssh.com, + aes128-ctr,aes192-ctr,aes256-ctr, + aes128-gcm@openssh.com,aes256-gcm@openssh.com + + The list of available ciphers may also be obtained using "ssh -Q + cipher". + + ClearAllForwardings + Specifies that all local, remote, and dynamic port forwardings + specified in the configuration files or on the command line be + cleared. This option is primarily useful when used from the + ssh(1) command line to clear port forwardings set in + configuration files, and is automatically set by scp(1) and + sftp(1). The argument must be yes or no (the default). + + Compression + Specifies whether to use compression. The argument must be yes + or no (the default). + + ConnectionAttempts + Specifies the number of tries (one per second) to make before + exiting. The argument must be an integer. This may be useful in + scripts if the connection sometimes fails. The default is 1. + + ConnectTimeout + Specifies the timeout (in seconds) used when connecting to the + SSH server, instead of using the default system TCP timeout. + This timeout is applied both to establishing the connection and + to performing the initial SSH protocol handshake and key + exchange. + + ControlMaster + Enables the sharing of multiple sessions over a single network + connection. When set to yes, ssh(1) will listen for connections + on a control socket specified using the ControlPath argument. + Additional sessions can connect to this socket using the same + ControlPath with ControlMaster set to no (the default). These + sessions will try to reuse the master instance's network + connection rather than initiating new ones, but will fall back to + connecting normally if the control socket does not exist, or is + not listening. + + Setting this to ask will cause ssh(1) to listen for control + connections, but require confirmation using ssh-askpass(1). If + the ControlPath cannot be opened, ssh(1) will continue without + connecting to a master instance. + + X11 and ssh-agent(1) forwarding is supported over these + multiplexed connections, however the display and agent forwarded + will be the one belonging to the master connection i.e. it is not + possible to forward multiple displays or agents. + + Two additional options allow for opportunistic multiplexing: try + to use a master connection but fall back to creating a new one if + one does not already exist. These options are: auto and autoask. + The latter requires confirmation like the ask option. + + ControlPath + Specify the path to the control socket used for connection + sharing as described in the ControlMaster section above or the + string none to disable connection sharing. Arguments to + ControlPath may use the tilde syntax to refer to a user's home + directory, the tokens described in the TOKENS section and + environment variables as described in the ENVIRONMENT VARIABLES + section. It is recommended that any ControlPath used for + opportunistic connection sharing include at least %h, %p, and %r + (or alternatively %C) and be placed in a directory that is not + writable by other users. This ensures that shared connections + are uniquely identified. + + ControlPersist + When used in conjunction with ControlMaster, specifies that the + master connection should remain open in the background (waiting + for future client connections) after the initial client + connection has been closed. If set to no (the default), then the + master connection will not be placed into the background, and + will close as soon as the initial client connection is closed. + If set to yes or 0, then the master connection will remain in the + background indefinitely (until killed or closed via a mechanism + such as the "ssh -O exit"). If set to a time in seconds, or a + time in any of the formats documented in sshd_config(5), then the + backgrounded master connection will automatically terminate after + it has remained idle (with no client connections) for the + specified time. + + DynamicForward + Specifies that a TCP port on the local machine be forwarded over + the secure channel, and the application protocol is then used to + determine where to connect to from the remote machine. + + The argument must be [bind_address:]port. IPv6 addresses can be + specified by enclosing addresses in square brackets. By default, + the local port is bound in accordance with the GatewayPorts + setting. However, an explicit bind_address may be used to bind + the connection to a specific address. The bind_address of + localhost indicates that the listening port be bound for local + use only, while an empty address or M-bM-^@M-^X*M-bM-^@M-^Y indicates that the port + should be available from all interfaces. + + Currently the SOCKS4 and SOCKS5 protocols are supported, and + ssh(1) will act as a SOCKS server. Multiple forwardings may be + specified, and additional forwardings can be given on the command + line. Only the superuser can forward privileged ports. + + EnableEscapeCommandline + Enables the command line option in the EscapeChar menu for + interactive sessions (default M-bM-^@M-^X~CM-bM-^@M-^Y). By default, the command + line is disabled. + + EnableSSHKeysign + Setting this option to yes in the global client configuration + file /etc/ssh/ssh_config enables the use of the helper program + ssh-keysign(8) during HostbasedAuthentication. The argument must + be yes or no (the default). This option should be placed in the + non-hostspecific section. See ssh-keysign(8) for more + information. + + EscapeChar + Sets the escape character (default: M-bM-^@M-^X~M-bM-^@M-^Y). The escape character + can also be set on the command line. The argument should be a + single character, M-bM-^@M-^X^M-bM-^@M-^Y followed by a letter, or none to disable + the escape character entirely (making the connection transparent + for binary data). + + ExitOnForwardFailure + Specifies whether ssh(1) should terminate the connection if it + cannot set up all requested dynamic, tunnel, local, and remote + port forwardings, (e.g. if either end is unable to bind and + listen on a specified port). Note that ExitOnForwardFailure does + not apply to connections made over port forwardings and will not, + for example, cause ssh(1) to exit if TCP connections to the + ultimate forwarding destination fail. The argument must be yes + or no (the default). + + FingerprintHash + Specifies the hash algorithm used when displaying key + fingerprints. Valid options are: md5 and sha256 (the default). + + ForkAfterAuthentication + Requests ssh to go to background just before command execution. + This is useful if ssh is going to ask for passwords or + passphrases, but the user wants it in the background. This + implies the StdinNull configuration option being set to M-bM-^@M-^\yesM-bM-^@M-^]. + The recommended way to start X11 programs at a remote site is + with something like ssh -f host xterm, which is the same as ssh + host xterm if the ForkAfterAuthentication configuration option is + set to M-bM-^@M-^\yesM-bM-^@M-^]. + + If the ExitOnForwardFailure configuration option is set to M-bM-^@M-^\yesM-bM-^@M-^], + then a client started with the ForkAfterAuthentication + configuration option being set to M-bM-^@M-^\yesM-bM-^@M-^] will wait for all remote + port forwards to be successfully established before placing + itself in the background. The argument to this keyword must be + yes (same as the -f option) or no (the default). + + ForwardAgent + Specifies whether the connection to the authentication agent (if + any) will be forwarded to the remote machine. The argument may + be yes, no (the default), an explicit path to an agent socket or + the name of an environment variable (beginning with M-bM-^@M-^X$M-bM-^@M-^Y) in which + to find the path. + + Agent forwarding should be enabled with caution. Users with the + ability to bypass file permissions on the remote host (for the + agent's Unix-domain socket) can access the local agent through + the forwarded connection. An attacker cannot obtain key material + from the agent, however they can perform operations on the keys + that enable them to authenticate using the identities loaded into + the agent. + + ForwardX11 + Specifies whether X11 connections will be automatically + redirected over the secure channel and DISPLAY set. The argument + must be yes or no (the default). + + X11 forwarding should be enabled with caution. Users with the + ability to bypass file permissions on the remote host (for the + user's X11 authorization database) can access the local X11 + display through the forwarded connection. An attacker may then + be able to perform activities such as keystroke monitoring if the + ForwardX11Trusted option is also enabled. + + ForwardX11Timeout + Specify a timeout for untrusted X11 forwarding using the format + described in the TIME FORMATS section of sshd_config(5). X11 + connections received by ssh(1) after this time will be refused. + Setting ForwardX11Timeout to zero will disable the timeout and + permit X11 forwarding for the life of the connection. The + default is to disable untrusted X11 forwarding after twenty + minutes has elapsed. + + ForwardX11Trusted + If this option is set to yes, remote X11 clients will have full + access to the original X11 display. + + If this option is set to no (the default), remote X11 clients + will be considered untrusted and prevented from stealing or + tampering with data belonging to trusted X11 clients. + Furthermore, the xauth(1) token used for the session will be set + to expire after 20 minutes. Remote clients will be refused + access after this time. + + See the X11 SECURITY extension specification for full details on + the restrictions imposed on untrusted clients. + + GatewayPorts + Specifies whether remote hosts are allowed to connect to local + forwarded ports. By default, ssh(1) binds local port forwardings + to the loopback address. This prevents other remote hosts from + connecting to forwarded ports. GatewayPorts can be used to + specify that ssh should bind local port forwardings to the + wildcard address, thus allowing remote hosts to connect to + forwarded ports. The argument must be yes or no (the default). + + GlobalKnownHostsFile + Specifies one or more files to use for the global host key + database, separated by whitespace. The default is + /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2. + + GSSAPIAuthentication + Specifies whether user authentication based on GSSAPI is allowed. + The default is no. + + GSSAPIDelegateCredentials + Forward (delegate) credentials to the server. The default is no. + + HashKnownHosts + Indicates that ssh(1) should hash host names and addresses when + they are added to ~/.ssh/known_hosts. These hashed names may be + used normally by ssh(1) and sshd(8), but they do not visually + reveal identifying information if the file's contents are + disclosed. The default is no. Note that existing names and + addresses in known hosts files will not be converted + automatically, but may be manually hashed using ssh-keygen(1). + + HostbasedAcceptedAlgorithms + Specifies the signature algorithms that will be used for + hostbased authentication as a comma-separated list of patterns. + Alternately if the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, + then the specified signature algorithms will be appended to the + default set instead of replacing them. If the specified list + begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified signature + algorithms (including wildcards) will be removed from the default + set instead of replacing them. If the specified list begins with + a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified signature algorithms will be + placed at the head of the default set. The default for this + option is: + + ssh-ed25519-cert-v01@openssh.com, + ecdsa-sha2-nistp256-cert-v01@openssh.com, + ecdsa-sha2-nistp384-cert-v01@openssh.com, + ecdsa-sha2-nistp521-cert-v01@openssh.com, + sk-ssh-ed25519-cert-v01@openssh.com, + sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, + rsa-sha2-512-cert-v01@openssh.com, + rsa-sha2-256-cert-v01@openssh.com, + ssh-ed25519, + ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, + sk-ssh-ed25519@openssh.com, + sk-ecdsa-sha2-nistp256@openssh.com, + rsa-sha2-512,rsa-sha2-256 + + The -Q option of ssh(1) may be used to list supported signature + algorithms. This was formerly named HostbasedKeyTypes. + + HostbasedAuthentication + Specifies whether to try rhosts based authentication with public + key authentication. The argument must be yes or no (the + default). + + HostKeyAlgorithms + Specifies the host key signature algorithms that the client wants + to use in order of preference. Alternately if the specified list + begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified signature + algorithms will be appended to the default set instead of + replacing them. If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y + character, then the specified signature algorithms (including + wildcards) will be removed from the default set instead of + replacing them. If the specified list begins with a M-bM-^@M-^X^M-bM-^@M-^Y + character, then the specified signature algorithms will be placed + at the head of the default set. The default for this option is: + + ssh-ed25519-cert-v01@openssh.com, + ecdsa-sha2-nistp256-cert-v01@openssh.com, + ecdsa-sha2-nistp384-cert-v01@openssh.com, + ecdsa-sha2-nistp521-cert-v01@openssh.com, + sk-ssh-ed25519-cert-v01@openssh.com, + sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, + rsa-sha2-512-cert-v01@openssh.com, + rsa-sha2-256-cert-v01@openssh.com, + ssh-ed25519, + ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, + sk-ecdsa-sha2-nistp256@openssh.com, + sk-ssh-ed25519@openssh.com, + rsa-sha2-512,rsa-sha2-256 + + If hostkeys are known for the destination host then this default + is modified to prefer their algorithms. + + The list of available signature algorithms may also be obtained + using "ssh -Q HostKeyAlgorithms". + + HostKeyAlias + Specifies an alias that should be used instead of the real host + name when looking up or saving the host key in the host key + database files and when validating host certificates. This + option is useful for tunneling SSH connections or for multiple + servers running on a single host. + + Hostname + Specifies the real host name to log into. This can be used to + specify nicknames or abbreviations for hosts. Arguments to + Hostname accept the tokens described in the TOKENS section. + Numeric IP addresses are also permitted (both on the command line + and in Hostname specifications). The default is the name given + on the command line. + + IdentitiesOnly + Specifies that ssh(1) should only use the configured + authentication identity and certificate files (either the default + files, or those explicitly configured in the ssh_config files or + passed on the ssh(1) command-line), even if ssh-agent(1) or a + PKCS11Provider or SecurityKeyProvider offers more identities. + The argument to this keyword must be yes or no (the default). + This option is intended for situations where ssh-agent offers + many different identities. + + IdentityAgent + Specifies the UNIX-domain socket used to communicate with the + authentication agent. + + This option overrides the SSH_AUTH_SOCK environment variable and + can be used to select a specific agent. Setting the socket name + to none disables the use of an authentication agent. If the + string "SSH_AUTH_SOCK" is specified, the location of the socket + will be read from the SSH_AUTH_SOCK environment variable. + Otherwise if the specified value begins with a M-bM-^@M-^X$M-bM-^@M-^Y character, + then it will be treated as an environment variable containing the + location of the socket. + + Arguments to IdentityAgent may use the tilde syntax to refer to a + user's home directory, the tokens described in the TOKENS section + and environment variables as described in the ENVIRONMENT + VARIABLES section. + + IdentityFile + Specifies a file from which the user's ECDSA, authenticator- + hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA + authentication identity is read. You can also specify a public + key file to use the corresponding private key that is loaded in + ssh-agent(1) when the private key file is not present locally. + The default is ~/.ssh/id_rsa, ~/.ssh/id_ecdsa, + ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519 and ~/.ssh/id_ed25519_sk. + Additionally, any identities represented by the authentication + agent will be used for authentication unless IdentitiesOnly is + set. If no certificates have been explicitly specified by + CertificateFile, ssh(1) will try to load certificate information + from the filename obtained by appending -cert.pub to the path of + a specified IdentityFile. + + Arguments to IdentityFile may use the tilde syntax to refer to a + user's home directory or the tokens described in the TOKENS + section. Alternately an argument of none may be used to indicate + no identity files should be loaded. + + It is possible to have multiple identity files specified in + configuration files; all these identities will be tried in + sequence. Multiple IdentityFile directives will add to the list + of identities tried (this behaviour differs from that of other + configuration directives). + + IdentityFile may be used in conjunction with IdentitiesOnly to + select which identities in an agent are offered during + authentication. IdentityFile may also be used in conjunction + with CertificateFile in order to provide any certificate also + needed for authentication with the identity. + + IgnoreUnknown + Specifies a pattern-list of unknown options to be ignored if they + are encountered in configuration parsing. This may be used to + suppress errors if ssh_config contains options that are + unrecognised by ssh(1). It is recommended that IgnoreUnknown be + listed early in the configuration file as it will not be applied + to unknown options that appear before it. + + Include + Include the specified configuration file(s). Multiple pathnames + may be specified and each pathname may contain glob(7) wildcards + and, for user configurations, shell-like M-bM-^@M-^X~M-bM-^@M-^Y references to user + home directories. Wildcards will be expanded and processed in + lexical order. Files without absolute paths are assumed to be in + ~/.ssh if included in a user configuration file or /etc/ssh if + included from the system configuration file. Include directive + may appear inside a Match or Host block to perform conditional + inclusion. + + IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. + Accepted values are af11, af12, af13, af21, af22, af23, af31, + af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, cs4, cs5, cs6, + cs7, ef, le, lowdelay, throughput, reliability, a numeric value, + or none to use the operating system default. This option may + take one or two arguments, separated by whitespace. If one + argument is specified, it is used as the packet class + unconditionally. If two values are specified, the first is + automatically selected for interactive sessions and the second + for non-interactive sessions. The default is af21 (Low-Latency + Data) for interactive sessions and cs1 (Lower Effort) for non- + interactive sessions. + + KbdInteractiveAuthentication + Specifies whether to use keyboard-interactive authentication. + The argument to this keyword must be yes (the default) or no. + ChallengeResponseAuthentication is a deprecated alias for this. + + KbdInteractiveDevices + Specifies the list of methods to use in keyboard-interactive + authentication. Multiple method names must be comma-separated. + T |