Lines Matching +full:host +full:- +full:only
45 .Bk -words
75 can be configured using command-line options or a configuration file
78 command-line options override values specified in the
87 .Bl -tag -width Ds
91 to use IPv4 addresses only.
95 to use IPv6 addresses only.
107 options or as a comma-separated list.
111 .Dq host ,
116 and correspond to source address, user, resolved source host name,
119 .Dq invalid-user
126 The certificate file must match a host key file specified using the
143 and will only process one connection.
144 This option is only intended for debugging for the server.
177 Specifies a file from which a host key is read.
181 host key files are normally not readable by anyone but root).
187 It is possible to have multiple host key files for
188 the different host key algorithms.
197 command-line flag.
206 option are ignored when a command-line port is specified.
209 option override command-line ports.
231 Only check the validity of the configuration file and sanity of the keys.
239 structure that holds the remote host name.
240 If the resolved host name is longer than
243 This allows hosts with very long host names that
247 indicates that only dotted decimal addresses
259 .Cm from="pattern-list"
262 USER@HOST pattern in
270 The OpenSSH SSH daemon supports SSH protocol 2 only.
271 Each host has a host-specific key,
272 used to identify the host.
274 host key.
276 host key against its own database to verify that it has not changed.
277 Forward secrecy is provided through a Diffie-Hellman key agreement.
287 host-based authentication,
289 challenge-response authentication,
303 on HP-UX, containing
312 for the account while allowing still public-key, then the passwd field
322 things like allocating a pseudo-tty, forwarding X11 connections,
327 of a non-interactive command, which
344 .Bl -enum -offset indent
424 .Bd -literal -offset 3n
425 if read proto cookie && [ -n "$DISPLAY" ]; then
426 if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
429 cut -c11-` $proto $cookie
433 fi | xauth -q -
454 Public keys consist of the following space-separated fields:
455 options, keytype, base64-encoded key, comment.
459 .Bl -item -compact -offset indent
461 sk-ecdsa-sha2-nistp256@openssh.com
463 ecdsa-sha2-nistp256
465 ecdsa-sha2-nistp384
467 ecdsa-sha2-nistp521
469 sk-ssh-ed25519@openssh.com
471 ssh-ed25519
473 ssh-rsa
494 The options (if present) consist of comma-separated option
498 that option keywords are case-insensitive):
499 .Bl -tag -width Ds
500 .It Cm agent-forwarding
504 .It Cm cert-authority
517 If an 8-bit clean channel is required,
519 .Cm no-pty .
539 If a command is specified and a forced-command is embedded in a certificate
540 used for authentication, then the certificate will be accepted only if the
552 .It Cm expiry-time="timespec"
557 .It Cm from="pattern-list"
559 name of the remote host or its IP address must be present in the
560 comma-separated list of patterns.
577 .It Cm no-agent-forwarding
580 .It Cm no-port-forwarding
586 .It Cm no-pty
588 .It Cm no-user-rc
591 .It Cm no-X11-forwarding
594 .It Cm permitlisten="[host:]port"
598 option such that it may only listen on the specified host (optional) and port.
615 if a listen host was not specified when the forwarding was requested, and
620 .It Cm permitopen="host:port"
624 option such that it may only connect to the specified host and port.
630 specified hostnames, they must be literal host names and/or addresses.
634 .It Cm port-forwarding
640 .Cm cert-authority
642 comma-separated list.
647 .Cm cert-authority
653 .It Cm no-touch-required
656 This option only makes sense for the FIDO authenticator algorithms
657 .Cm ecdsa-sk
659 .Cm ed25519-sk .
660 .It Cm verify-required
663 This option only makes sense for the FIDO authenticator algorithms
664 .Cm ecdsa-sk
666 .Cm ed25519-sk .
680 .It Cm user-rc
686 .It Cm X11-forwarding
693 .Bd -literal -offset 3n
696 ssh-rsa ...
698 restrict,command="dump /home" ssh-rsa ...
699 # Restriction of ssh -L forwarding destinations
700 permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-rsa ...
701 # Restriction of ssh -R forwarding listeners
702 permitlisten="localhost:8080",permitlisten="[::1]:22000" ssh-rsa ...
704 tunnel="0",command="sh /etc/netstart tun0" ssh-rsa ...
706 restrict,pty,command="nethack" ssh-rsa ...
708 no-touch-required sk-ecdsa-sha2-nistp256@openssh.com ...
709 # Require user-verification (e.g. PIN or biometric) for FIDO key
710 verify-required sk-ecdsa-sha2-nistp256@openssh.com ...
711 # Trust CA key, allow touch-less FIDO if requested in certificate
712 cert-authority,no-touch-required,principals="user_a" ssh-rsa ...
719 files contain host public keys for all known hosts.
721 be prepared by the administrator (optional), and the per-user file is
722 maintained automatically: whenever the user connects to an unknown host,
723 its key is added to the per-user file.
726 hostnames, keytype, base64-encoded key, comment.
730 .Dq @cert-authority ,
736 Only one marker should be used on a key line.
738 Hostnames is a comma-separated list of patterns
743 wildcards); each pattern in turn is matched against the host name.
748 this will be the canonical client host name.
751 is authenticating a server, this will be the host name
762 to indicate negation: if the host name matches a negated
771 and a non-standard port number.
773 Alternately, hostnames may be stored in a hashed form which hides host names
778 Only one hashed hostname may appear on a single line and none of the above
781 The keytype and base64-encoded key are taken directly from the host key; they
790 When performing host authentication, authentication is accepted if any
795 .Dq @cert-authority
810 recommended) to have several lines or different host keys for the same
812 This will inevitably happen when short forms of host names
819 long, and you definitely don't want to type in the host keys by hand.
821 .Xr ssh-keyscan 1
824 and adding the host names at the front.
825 .Xr ssh-keygen 1
828 including removing hosts matching a host name and converting all host
832 .Bd -literal -offset 3n
834 cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
836 |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
839 @revoked * ssh-rsa AAAAB5W...
840 # A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
841 @cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
844 .Bl -tag -width Ds -compact
858 This file is used for host-based authentication (see
862 world-readable if the user's home directory is on an NFS partition,
875 but allows host-based authentication without permitting login with
879 This directory is the default location for all user-specific configuration
906 It can only contain empty lines, comment lines (that start with
910 only by the user; it need not be readable by anyone else.
917 Contains a list of host keys for all hosts the user has logged into
918 that are not already in the systemwide list of known host keys.
920 This file should be writable only by root/the owner and
921 can, but need not be, world-readable.
926 This file should be writable only by the user, and need not be
931 Access controls that should be enforced by tcp-wrappers are defined here.
936 This file is for host-based authentication (see
938 It should only be writable by root.
941 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
957 are displayed to anyone trying to log in, and non-root connections are
959 The file should be world-readable.
964 but allows host-based authentication without permitting login with
970 These files contain the private parts of the host keys.
971 These files should only be owned by root, readable only by root, and not
975 does not start if these files are group/world-accessible.
980 These files contain the public parts of the host keys.
981 These files should be world-readable but writable only by
988 .Xr ssh-keygen 1 .
991 Systemwide list of known host keys.
993 system administrator to contain the public host keys of all machines in the
996 This file should be writable only by root/the owner and
997 should be world-readable.
1009 machine-specific login-time initializations globally.
1010 This file should be writable only by root, and should be world-readable.
1016 during privilege separation in the pre-authentication phase.
1018 and not group or world-writable.
1026 The content of this file is not sensitive; it can be world-readable.
1032 .Xr ssh-add 1 ,
1033 .Xr ssh-agent 1 ,
1034 .Xr ssh-keygen 1 ,
1035 .Xr ssh-keyscan 1 ,
1042 .Xr sftp-server 8
1048 removed many bugs, re-added newer features and