Lines Matching +full:host +full:- +full:only

48 .Bl -enum -offset indent -compact
50 command-line options
55 system-wide configuration file
62 .Cm Host
63 specifications, and that section is only applied for hosts that
65 The matched host name is usually the one given on the command line
71 host-specific declarations should be given near the beginning of the
74 The file contains keyword-argument pairs, one per line.
95 keywords are case-insensitive and arguments are case-sensitive):
96 .Bl -tag -width Ds
97 .It Cm Host
99 .Cm Host
102 keyword) to be only for those hosts that match one of the patterns
109 The host is usually the
119 .Cm Host
130 .Cm Host
133 keyword) to be used only when the conditions following the
145 .Cm host ,
169 keyword matches only when the configuration file is being re-parsed
173 This may be useful to specify conditions that work with canonical host
174 names only.
178 keyword requests that the configuration be re-parsed (regardless of whether
180 is enabled), and matches only during this final pass.
208 and so caution should be applied if using it to control security-sensitive
211 The other keywords' criteria must be single entries or comma-separated
216 .Cm host
225 keyword matches against the hostname as it was specified on the command-line.
232 command-line using the
237 keyword matches against the target username on the remote host.
242 (this keyword may be useful in system-wide
247 .Xr ssh-agent 1 .
252 .Xr ssh-add 1 .
259 .Xr ssh-add 1
266 .Xr ssh-add 1 .
276 .Xr ssh-agent 1 ,
292 (use IPv4 only), or
294 (use IPv6 only).
298 user interaction such as password prompts and host key confirmation requests
311 Only useful on systems with more than one address.
319 search for the specified destination host.
362 .Cm Host
370 host.
383 is a pattern-list of domains that may follow CNAMEs in canonicalization,
386 is a pattern-list of domains that they may resolve to.
406 .Bd -literal -offset indent
407 ssh-ed25519,ecdsa-sha2-nistp256,
408 ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
409 sk-ssh-ed25519@openssh.com,
410 sk-ecdsa-sha2-nistp256@openssh.com,
411 rsa-sha2-512,rsa-sha2-256
419 .Sq -
424 will not accept host certificates signed using algorithms other than those
437 .Xr ssh-agent 1 ,
491 .Bl -tag -width Ds
492 .It Cm agent-connection
494 .Xr ssh-agent 1 .
495 .It Cm direct-tcpip , Cm direct-streamlocal@openssh.com
503 .It Cm forwarded-tcpip , Cm forwarded-streamlocal@openssh.com
516 .It Cm tun-connection
520 .It Cm x11-connection
539 will additionally check the host IP address in the
542 This allows it to detect if a host key changed due to DNS spoofing
555 Multiple ciphers must be comma-separated.
561 .Sq -
570 .Bd -literal -offset indent
571 3des-cbc
572 aes128-cbc
573 aes192-cbc
574 aes256-cbc
575 aes128-ctr
576 aes192-ctr
577 aes256-ctr
578 aes128-gcm@openssh.com
579 aes256-gcm@openssh.com
580 chacha20-poly1305@openssh.com
584 .Bd -literal -offset indent
585 chacha20-poly1305@openssh.com,
586 aes128-ctr,aes192-ctr,aes256-ctr,
587 aes128-gcm@openssh.com,aes256-gcm@openssh.com
591 .Qq ssh -Q cipher .
649 .Xr ssh-askpass 1 .
657 .Xr ssh-agent 1
709 .Qq ssh -O exit ) .
736 indicates that the listening port be bound for local use only, while an
746 Only the superuser can forward privileged ports.
759 .Xr ssh-keysign 8
767 This option should be placed in the non-hostspecific section.
769 .Xr ssh-keysign 8
821 .Ic ssh -f host xterm ,
823 .Ic ssh host xterm
859 Users with the ability to bypass file permissions on the remote host
860 (for the agent's Unix-domain socket)
877 Users with the ability to bypass file permissions on the remote host
935 host key database, separated by whitespace.
950 should hash host names and addresses when they are added to
963 .Xr ssh-keygen 1 .
966 authentication as a comma-separated list of patterns.
972 .Sq -
980 .Bd -literal -offset 3n
981 ssh-ed25519-cert-v01@openssh.com,
982 ecdsa-sha2-nistp256-cert-v01@openssh.com,
983 ecdsa-sha2-nistp384-cert-v01@openssh.com,
984 ecdsa-sha2-nistp521-cert-v01@openssh.com,
985 sk-ssh-ed25519-cert-v01@openssh.com,
986 sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
987 rsa-sha2-512-cert-v01@openssh.com,
988 rsa-sha2-256-cert-v01@openssh.com,
989 ssh-ed25519,
990 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
991 sk-ssh-ed25519@openssh.com,
992 sk-ecdsa-sha2-nistp256@openssh.com,
993 rsa-sha2-512,rsa-sha2-256
1011 Specifies the host key signature algorithms
1018 .Sq -
1026 .Bd -literal -offset 3n
1027 ssh-ed25519-cert-v01@openssh.com,
1028 ecdsa-sha2-nistp256-cert-v01@openssh.com,
1029 ecdsa-sha2-nistp384-cert-v01@openssh.com,
1030 ecdsa-sha2-nistp521-cert-v01@openssh.com,
1031 sk-ssh-ed25519-cert-v01@openssh.com,
1032 sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
1033 rsa-sha2-512-cert-v01@openssh.com,
1034 rsa-sha2-256-cert-v01@openssh.com,
1035 ssh-ed25519,
1036 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1037 sk-ecdsa-sha2-nistp256@openssh.com,
1038 sk-ssh-ed25519@openssh.com,
1039 rsa-sha2-512,rsa-sha2-256
1042 If hostkeys are known for the destination host then this default is modified
1046 .Qq ssh -Q HostKeyAlgorithms .
1049 real host name when looking up or saving the host key
1050 in the host key database files and when validating host certificates.
1052 or for multiple servers running on a single host.
1054 Specifies the real host name to log into.
1068 should only use the configured authentication identity and certificate files
1074 command-line),
1076 .Xr ssh-agent 1
1087 This option is intended for situations where ssh-agent
1091 .Ux Ns -domain
1119 Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA,
1120 Ed25519, authenticator-hosted Ed25519 or RSA authentication identity is read.
1123 .Xr ssh-agent 1
1142 .Pa -cert.pub
1174 Specifies a pattern-list of unknown options to be ignored if they are
1188 wildcards and, for user configurations, shell-like
1201 .Cm Host
1205 Specifies the IPv4 type-of-service or DSCP class for connections.
1238 interactive sessions and the second for non-interactive sessions.
1241 (Low-Latency Data)
1245 for non-interactive sessions.
1247 Specifies whether to use keyboard-interactive authentication.
1256 Specifies the list of methods to use in keyboard-interactive authentication.
1257 Multiple method names must be comma-separated.
1267 Multiple algorithms must be comma-separated.
1273 .Sq -
1281 .Bd -literal -offset indent
1282 sntrup761x25519-sha512@openssh.com,
1283 curve25519-sha256,curve25519-sha256@libssh.org,
1284 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
1285 diffie-hellman-group-exchange-sha256,
1286 diffie-hellman-group16-sha512,
1287 diffie-hellman-group18-sha512,
1288 diffie-hellman-group14-sha256
1292 .Qq ssh -Q kex .
1294 Specifies a command to use to obtain a list of host keys, in addition to
1300 It may write host key lines to standard output in identical format to the
1302 .Sx VERIFYING HOST KEYS
1311 the preference list of host key algorithms to use, again to obtain the
1312 host key for the requested host name and, if
1314 is enabled, one more time to obtain the host key matching the server's
1316 If the command exits abnormally or returns a non-zero exit status then the
1340 the secure channel to the specified host and port from the remote machine.
1347 .Ar host : Ns Ar hostport
1348 or a Unix domain socket path if the remote host supports it.
1353 Only the superuser can forward privileged ports.
1364 indicates that the listening port be bound for local use only, while an
1386 .Bd -literal -offset indent
1402 Multiple algorithms must be comma-separated.
1408 .Sq -
1417 .Qq -etm
1418 calculate the MAC after encryption (encrypt-then-mac).
1422 .Bd -literal -offset indent
1423 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
1424 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
1425 hmac-sha1-etm@openssh.com,
1426 umac-64@openssh.com,umac-128@openssh.com,
1427 hmac-sha2-256,hmac-sha2-512,hmac-sha1
1431 .Qq ssh -Q mac .
1433 Disable host authentication for localhost (loopback addresses).
1446 should try to obscure inter-keystroke timings from passive observers of
1487 .Bl -item -offset indent -compact
1491 .Ar host : port
1514 can be used for host or port to allow all hosts or ports respectively.
1526 Specifies the port number to connect on the remote host.
1531 .Cm keyboard-interactive )
1535 .Bd -literal -offset indent
1536 gssapi-with-mic,hostbased,publickey,
1537 keyboard-interactive,password
1557 .Ic sshd -i
1559 Host key management will be done using the
1561 of the host being connected (defaulting to the name typed by the user).
1574 .Bd -literal -offset 3n
1575 ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
1582 .Ar host
1591 to connect to the target host by first making a
1595 host and then establishing a
1597 Setting the host to
1603 option - whichever is specified first will prevent later instances of the
1606 Note also that the configuration for the destination host (either supplied
1607 via the command-line or the configuration file) is not generally applied
1621 authentication as a comma-separated list of patterns.
1627 .Sq -
1635 .Bd -literal -offset 3n
1636 ssh-ed25519-cert-v01@openssh.com,
1637 ecdsa-sha2-nistp256-cert-v01@openssh.com,
1638 ecdsa-sha2-nistp384-cert-v01@openssh.com,
1639 ecdsa-sha2-nistp521-cert-v01@openssh.com,
1640 sk-ssh-ed25519-cert-v01@openssh.com,
1641 sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
1642 rsa-sha2-512-cert-v01@openssh.com,
1643 rsa-sha2-256-cert-v01@openssh.com,
1644 ssh-ed25519,
1645 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1646 sk-ssh-ed25519@openssh.com,
1647 sk-ecdsa-sha2-nistp256@openssh.com,
1648 rsa-sha2-512,rsa-sha2-256
1652 .Qq ssh -Q PubkeyAcceptedAlgorithms .
1661 .Cm host-bound .
1663 disabling or enabling the OpenSSH host-bound authentication protocol
1665 .Xr ssh-agent 1
1704 The remote port may either be forwarded to a specified host and port
1711 or, if the remote host supports it, a Unix domain socket path.
1713 .Ar host : Ns Ar hostport
1724 Privileged ports can be forwarded only when
1740 is not specified, the default is to only bind to loopback addresses.
1749 will only succeed if the server's
1754 Specifies whether to request a pseudo-tty for the session.
1775 Servers that present host keys smaller than this limit will cause the
1780 Note that this limit may only be raised from the default.
1782 Specifies revoked host public keys.
1783 Keys listed in this file will be refused for host authentication.
1785 then host authentication will be refused for all hosts.
1788 .Xr ssh-keygen 1 .
1790 .Xr ssh-keygen 1 .
1801 FIDO authenticator-hosted keys, overriding the default of using
1802 the built-in USB HID support.
1817 pseudo-terminal is requested as it is required by the protocol.
1836 .Pa - .
1914 used when creating a Unix-domain socket file for local or remote
1916 This option is only used for port forwarding to a Unix-domain socket file.
1918 The default value is 0177, which creates a Unix-domain socket file that is
1919 readable and writable only by the owner.
1920 Note that not all operating systems honor the file mode on Unix-domain
1923 Specifies whether to remove an existing Unix-domain socket file for local
1929 will be unable to forward the port to the Unix-domain socket file.
1930 This option is only used for port forwarding to a Unix-domain socket file.
1941 will never automatically add host keys to the
1943 file, and refuses to connect to hosts whose host key has changed.
1944 This provides maximum protection against man-in-the-middle (MITM) attacks,
1953 .Cm accept-new
1954 then ssh will automatically add new host keys to the user's
1957 changed host keys.
1962 ssh will automatically add new host keys to the user known hosts files
1968 new host keys
1969 will be added to the user known host files only after the user
1971 ssh will refuse to connect to hosts whose host key has changed.
1972 The host keys of
1992 if the network goes down or the remote host dies.
1999 for protocol-level keepalives.
2010 .Cm point-to-point
2020 .Cm point-to-point .
2057 Additional hostkeys are only accepted if the key used to authenticate the
2058 host was already trusted or explicitly accepted by the user, the host was
2063 and the host was authenticated using a plain key and not a certificate.
2084 Presently, only
2096 host key database, separated by whitespace.
2107 to ignore any user-specific known hosts files.
2123 need to confirm new host keys according to the
2130 .Sx VERIFYING HOST KEYS
2136 an ASCII art representation of the remote host key fingerprint is
2138 for unknown host keys.
2143 only the fingerprint string will be printed for unknown host keys.
2154 consists of zero or more non-whitespace characters,
2160 For example, to specify a set of declarations for any host in the
2165 .Dl Host *.co.uk
2168 would match any host in the 192.168.0.[0-9] network range:
2170 .Dl Host 192.168.0.?
2173 .Em pattern-list
2174 is a comma-separated list of patterns.
2175 Patterns within pattern-lists may be negated
2190 against the following pattern-list will fail:
2202 .Bl -tag -width XXXX -offset indent -compact
2211 The fingerprint of the server's host key.
2223 when looking up a host by address (only when
2229 when preparing the host key algorithm preference list to use for the
2230 destination host.
2237 The base64 encoded host key.
2239 The host key alias if specified, otherwise the original remote hostname given
2261 The type of the server host key, e.g.
2262 .Cm ssh-ed25519 .
2327 support environment variables only for Unix domain socket paths.
2329 .Bl -tag -width Ds
2331 This is the per-user configuration file.
2341 This file must be world-readable.
2346 .An -nosplit
2354 removed many bugs, re-added newer features and