xref: /freebsd/crypto/openssh/ssh_config.5 (revision 0bc2abddc8d4abb89a210f2bb113e9e7c2d4ce18)
1.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\"                    All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose.  Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\"    notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\"    notice, this list of conditions and the following disclaimer in the
23.\"    documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
36.\" $OpenBSD: ssh_config.5,v 1.215 2015/08/14 15:32:41 jmc Exp $
37.\" $FreeBSD$
38.Dd $Mdocdate: August 14 2015 $
39.Dt SSH_CONFIG 5
40.Os
41.Sh NAME
42.Nm ssh_config
43.Nd OpenSSH SSH client configuration files
44.Sh SYNOPSIS
45.Nm ~/.ssh/config
46.Nm /etc/ssh/ssh_config
47.Sh DESCRIPTION
48.Xr ssh 1
49obtains configuration data from the following sources in
50the following order:
51.Pp
52.Bl -enum -offset indent -compact
53.It
54command-line options
55.It
56user's configuration file
57.Pq Pa ~/.ssh/config
58.It
59system-wide configuration file
60.Pq Pa /etc/ssh/ssh_config
61.El
62.Pp
63For each parameter, the first obtained value
64will be used.
65The configuration files contain sections separated by
66.Dq Host
67specifications, and that section is only applied for hosts that
68match one of the patterns given in the specification.
69The matched host name is usually the one given on the command line
70(see the
71.Cm CanonicalizeHostname
72option for exceptions.)
73.Pp
74Since the first obtained value for each parameter is used, more
75host-specific declarations should be given near the beginning of the
76file, and general defaults at the end.
77.Pp
78The configuration file has the following format:
79.Pp
80Empty lines and lines starting with
81.Ql #
82are comments.
83Otherwise a line is of the format
84.Dq keyword arguments .
85Configuration options may be separated by whitespace or
86optional whitespace and exactly one
87.Ql = ;
88the latter format is useful to avoid the need to quote whitespace
89when specifying configuration options using the
90.Nm ssh ,
91.Nm scp ,
92and
93.Nm sftp
94.Fl o
95option.
96Arguments may optionally be enclosed in double quotes
97.Pq \&"
98in order to represent arguments containing spaces.
99.Pp
100The possible
101keywords and their meanings are as follows (note that
102keywords are case-insensitive and arguments are case-sensitive):
103.Bl -tag -width Ds
104.It Cm Host
105Restricts the following declarations (up to the next
106.Cm Host
107or
108.Cm Match
109keyword) to be only for those hosts that match one of the patterns
110given after the keyword.
111If more than one pattern is provided, they should be separated by whitespace.
112A single
113.Ql *
114as a pattern can be used to provide global
115defaults for all hosts.
116The host is usually the
117.Ar hostname
118argument given on the command line
119(see the
120.Cm CanonicalizeHostname
121option for exceptions.)
122.Pp
123A pattern entry may be negated by prefixing it with an exclamation mark
124.Pq Sq !\& .
125If a negated entry is matched, then the
126.Cm Host
127entry is ignored, regardless of whether any other patterns on the line
128match.
129Negated matches are therefore useful to provide exceptions for wildcard
130matches.
131.Pp
132See
133.Sx PATTERNS
134for more information on patterns.
135.It Cm Match
136Restricts the following declarations (up to the next
137.Cm Host
138or
139.Cm Match
140keyword) to be used only when the conditions following the
141.Cm Match
142keyword are satisfied.
143Match conditions are specified using one or more critera
144or the single token
145.Cm all
146which always matches.
147The available criteria keywords are:
148.Cm canonical ,
149.Cm exec ,
150.Cm host ,
151.Cm originalhost ,
152.Cm user ,
153and
154.Cm localuser .
155The
156.Cm all
157criteria must appear alone or immediately after
158.Cm canonical .
159Other criteria may be combined arbitrarily.
160All criteria but
161.Cm all
162and
163.Cm canonical
164require an argument.
165Criteria may be negated by prepending an exclamation mark
166.Pq Sq !\& .
167.Pp
168The
169.Cm canonical
170keyword matches only when the configuration file is being re-parsed
171after hostname canonicalization (see the
172.Cm CanonicalizeHostname
173option.)
174This may be useful to specify conditions that work with canonical host
175names only.
176The
177.Cm exec
178keyword executes the specified command under the user's shell.
179If the command returns a zero exit status then the condition is considered true.
180Commands containing whitespace characters must be quoted.
181The following character sequences in the command will be expanded prior to
182execution:
183.Ql %L
184will be substituted by the first component of the local host name,
185.Ql %l
186will be substituted by the local host name (including any domain name),
187.Ql %h
188will be substituted by the target host name,
189.Ql %n
190will be substituted by the original target host name
191specified on the command-line,
192.Ql %p
193the destination port,
194.Ql %r
195by the remote login username, and
196.Ql %u
197by the username of the user running
198.Xr ssh 1 .
199.Pp
200The other keywords' criteria must be single entries or comma-separated
201lists and may use the wildcard and negation operators described in the
202.Sx PATTERNS
203section.
204The criteria for the
205.Cm host
206keyword are matched against the target hostname, after any substitution
207by the
208.Cm Hostname
209or
210.Cm CanonicalizeHostname
211options.
212The
213.Cm originalhost
214keyword matches against the hostname as it was specified on the command-line.
215The
216.Cm user
217keyword matches against the target username on the remote host.
218The
219.Cm localuser
220keyword matches against the name of the local user running
221.Xr ssh 1
222(this keyword may be useful in system-wide
223.Nm
224files).
225.It Cm AddressFamily
226Specifies which address family to use when connecting.
227Valid arguments are
228.Dq any ,
229.Dq inet
230(use IPv4 only), or
231.Dq inet6
232(use IPv6 only).
233.It Cm BatchMode
234If set to
235.Dq yes ,
236passphrase/password querying will be disabled.
237This option is useful in scripts and other batch jobs where no user
238is present to supply the password.
239The argument must be
240.Dq yes
241or
242.Dq no .
243The default is
244.Dq no .
245.It Cm BindAddress
246Use the specified address on the local machine as the source address of
247the connection.
248Only useful on systems with more than one address.
249Note that this option does not work if
250.Cm UsePrivilegedPort
251is set to
252.Dq yes .
253.It Cm CanonicalDomains
254When
255.Cm CanonicalizeHostname
256is enabled, this option specifies the list of domain suffixes in which to
257search for the specified destination host.
258.It Cm CanonicalizeFallbackLocal
259Specifies whether to fail with an error when hostname canonicalization fails.
260The default,
261.Dq yes ,
262will attempt to look up the unqualified hostname using the system resolver's
263search rules.
264A value of
265.Dq no
266will cause
267.Xr ssh 1
268to fail instantly if
269.Cm CanonicalizeHostname
270is enabled and the target hostname cannot be found in any of the domains
271specified by
272.Cm CanonicalDomains .
273.It Cm CanonicalizeHostname
274Controls whether explicit hostname canonicalization is performed.
275The default,
276.Dq no ,
277is not to perform any name rewriting and let the system resolver handle all
278hostname lookups.
279If set to
280.Dq yes
281then, for connections that do not use a
282.Cm ProxyCommand ,
283.Xr ssh 1
284will attempt to canonicalize the hostname specified on the command line
285using the
286.Cm CanonicalDomains
287suffixes and
288.Cm CanonicalizePermittedCNAMEs
289rules.
290If
291.Cm CanonicalizeHostname
292is set to
293.Dq always ,
294then canonicalization is applied to proxied connections too.
295.Pp
296If this option is enabled, then the configuration files are processed
297again using the new target name to pick up any new configuration in matching
298.Cm Host
299and
300.Cm Match
301stanzas.
302.It Cm CanonicalizeMaxDots
303Specifies the maximum number of dot characters in a hostname before
304canonicalization is disabled.
305The default,
306.Dq 1 ,
307allows a single dot (i.e. hostname.subdomain).
308.It Cm CanonicalizePermittedCNAMEs
309Specifies rules to determine whether CNAMEs should be followed when
310canonicalizing hostnames.
311The rules consist of one or more arguments of
312.Ar source_domain_list : Ns Ar target_domain_list ,
313where
314.Ar source_domain_list
315is a pattern-list of domains that may follow CNAMEs in canonicalization,
316and
317.Ar target_domain_list
318is a pattern-list of domains that they may resolve to.
319.Pp
320For example,
321.Dq *.a.example.com:*.b.example.com,*.c.example.com
322will allow hostnames matching
323.Dq *.a.example.com
324to be canonicalized to names in the
325.Dq *.b.example.com
326or
327.Dq *.c.example.com
328domains.
329.It Cm ChallengeResponseAuthentication
330Specifies whether to use challenge-response authentication.
331The argument to this keyword must be
332.Dq yes
333or
334.Dq no .
335The default is
336.Dq yes .
337.It Cm CheckHostIP
338If this flag is set to
339.Dq yes ,
340.Xr ssh 1
341will additionally check the host IP address in the
342.Pa known_hosts
343file.
344This allows ssh to detect if a host key changed due to DNS spoofing
345and will add addresses of destination hosts to
346.Pa ~/.ssh/known_hosts
347in the process, regardless of the setting of
348.Cm StrictHostKeyChecking .
349If the option is set to
350.Dq no ,
351the check will not be executed.
352The default is
353.Dq no .
354.It Cm Cipher
355Specifies the cipher to use for encrypting the session
356in protocol version 1.
357Currently,
358.Dq blowfish ,
359.Dq 3des ,
360and
361.Dq des
362are supported.
363.Ar des
364is only supported in the
365.Xr ssh 1
366client for interoperability with legacy protocol 1 implementations
367that do not support the
368.Ar 3des
369cipher.
370Its use is strongly discouraged due to cryptographic weaknesses.
371The default is
372.Dq 3des .
373.It Cm Ciphers
374Specifies the ciphers allowed for protocol version 2
375in order of preference.
376Multiple ciphers must be comma-separated.
377If the specified value begins with a
378.Sq +
379character, then the specified ciphers will be appended to the default set
380instead of replacing them.
381.Pp
382The supported ciphers are:
383.Pp
384.Bl -item -compact -offset indent
385.It
3863des-cbc
387.It
388aes128-cbc
389.It
390aes192-cbc
391.It
392aes256-cbc
393.It
394aes128-ctr
395.It
396aes192-ctr
397.It
398aes256-ctr
399.It
400aes128-gcm@openssh.com
401.It
402aes256-gcm@openssh.com
403.It
404arcfour
405.It
406arcfour128
407.It
408arcfour256
409.It
410blowfish-cbc
411.It
412cast128-cbc
413.It
414chacha20-poly1305@openssh.com
415.El
416.Pp
417The default is:
418.Bd -literal -offset indent
419chacha20-poly1305@openssh.com,
420aes128-ctr,aes192-ctr,aes256-ctr,
421aes128-gcm@openssh.com,aes256-gcm@openssh.com,
422arcfour256,arcfour128,
423aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
424aes192-cbc,aes256-cbc,arcfour
425.Ed
426.Pp
427The list of available ciphers may also be obtained using the
428.Fl Q
429option of
430.Xr ssh 1
431with an argument of
432.Dq cipher .
433.It Cm ClearAllForwardings
434Specifies that all local, remote, and dynamic port forwardings
435specified in the configuration files or on the command line be
436cleared.
437This option is primarily useful when used from the
438.Xr ssh 1
439command line to clear port forwardings set in
440configuration files, and is automatically set by
441.Xr scp 1
442and
443.Xr sftp 1 .
444The argument must be
445.Dq yes
446or
447.Dq no .
448The default is
449.Dq no .
450.It Cm Compression
451Specifies whether to use compression.
452The argument must be
453.Dq yes
454or
455.Dq no .
456The default is
457.Dq no .
458.It Cm CompressionLevel
459Specifies the compression level to use if compression is enabled.
460The argument must be an integer from 1 (fast) to 9 (slow, best).
461The default level is 6, which is good for most applications.
462The meaning of the values is the same as in
463.Xr gzip 1 .
464Note that this option applies to protocol version 1 only.
465.It Cm ConnectionAttempts
466Specifies the number of tries (one per second) to make before exiting.
467The argument must be an integer.
468This may be useful in scripts if the connection sometimes fails.
469The default is 1.
470.It Cm ConnectTimeout
471Specifies the timeout (in seconds) used when connecting to the
472SSH server, instead of using the default system TCP timeout.
473This value is used only when the target is down or really unreachable,
474not when it refuses the connection.
475.It Cm ControlMaster
476Enables the sharing of multiple sessions over a single network connection.
477When set to
478.Dq yes ,
479.Xr ssh 1
480will listen for connections on a control socket specified using the
481.Cm ControlPath
482argument.
483Additional sessions can connect to this socket using the same
484.Cm ControlPath
485with
486.Cm ControlMaster
487set to
488.Dq no
489(the default).
490These sessions will try to reuse the master instance's network connection
491rather than initiating new ones, but will fall back to connecting normally
492if the control socket does not exist, or is not listening.
493.Pp
494Setting this to
495.Dq ask
496will cause ssh
497to listen for control connections, but require confirmation using
498.Xr ssh-askpass 1 .
499If the
500.Cm ControlPath
501cannot be opened,
502ssh will continue without connecting to a master instance.
503.Pp
504X11 and
505.Xr ssh-agent 1
506forwarding is supported over these multiplexed connections, however the
507display and agent forwarded will be the one belonging to the master
508connection i.e. it is not possible to forward multiple displays or agents.
509.Pp
510Two additional options allow for opportunistic multiplexing: try to use a
511master connection but fall back to creating a new one if one does not already
512exist.
513These options are:
514.Dq auto
515and
516.Dq autoask .
517The latter requires confirmation like the
518.Dq ask
519option.
520.It Cm ControlPath
521Specify the path to the control socket used for connection sharing as described
522in the
523.Cm ControlMaster
524section above or the string
525.Dq none
526to disable connection sharing.
527In the path,
528.Ql %L
529will be substituted by the first component of the local host name,
530.Ql %l
531will be substituted by the local host name (including any domain name),
532.Ql %h
533will be substituted by the target host name,
534.Ql %n
535will be substituted by the original target host name
536specified on the command line,
537.Ql %p
538the destination port,
539.Ql %r
540by the remote login username,
541.Ql %u
542by the username of the user running
543.Xr ssh 1 , and
544.Ql \&%C
545by a hash of the concatenation: %l%h%p%r.
546It is recommended that any
547.Cm ControlPath
548used for opportunistic connection sharing include
549at least %h, %p, and %r (or alternatively %C) and be placed in a directory
550that is not writable by other users.
551This ensures that shared connections are uniquely identified.
552.It Cm ControlPersist
553When used in conjunction with
554.Cm ControlMaster ,
555specifies that the master connection should remain open
556in the background (waiting for future client connections)
557after the initial client connection has been closed.
558If set to
559.Dq no ,
560then the master connection will not be placed into the background,
561and will close as soon as the initial client connection is closed.
562If set to
563.Dq yes
564or
565.Dq 0 ,
566then the master connection will remain in the background indefinitely
567(until killed or closed via a mechanism such as the
568.Xr ssh 1
569.Dq Fl O No exit
570option).
571If set to a time in seconds, or a time in any of the formats documented in
572.Xr sshd_config 5 ,
573then the backgrounded master connection will automatically terminate
574after it has remained idle (with no client connections) for the
575specified time.
576.It Cm DynamicForward
577Specifies that a TCP port on the local machine be forwarded
578over the secure channel, and the application
579protocol is then used to determine where to connect to from the
580remote machine.
581.Pp
582The argument must be
583.Sm off
584.Oo Ar bind_address : Oc Ar port .
585.Sm on
586IPv6 addresses can be specified by enclosing addresses in square brackets.
587By default, the local port is bound in accordance with the
588.Cm GatewayPorts
589setting.
590However, an explicit
591.Ar bind_address
592may be used to bind the connection to a specific address.
593The
594.Ar bind_address
595of
596.Dq localhost
597indicates that the listening port be bound for local use only, while an
598empty address or
599.Sq *
600indicates that the port should be available from all interfaces.
601.Pp
602Currently the SOCKS4 and SOCKS5 protocols are supported, and
603.Xr ssh 1
604will act as a SOCKS server.
605Multiple forwardings may be specified, and
606additional forwardings can be given on the command line.
607Only the superuser can forward privileged ports.
608.It Cm EnableSSHKeysign
609Setting this option to
610.Dq yes
611in the global client configuration file
612.Pa /etc/ssh/ssh_config
613enables the use of the helper program
614.Xr ssh-keysign 8
615during
616.Cm HostbasedAuthentication .
617The argument must be
618.Dq yes
619or
620.Dq no .
621The default is
622.Dq no .
623This option should be placed in the non-hostspecific section.
624See
625.Xr ssh-keysign 8
626for more information.
627.It Cm EscapeChar
628Sets the escape character (default:
629.Ql ~ ) .
630The escape character can also
631be set on the command line.
632The argument should be a single character,
633.Ql ^
634followed by a letter, or
635.Dq none
636to disable the escape
637character entirely (making the connection transparent for binary
638data).
639.It Cm ExitOnForwardFailure
640Specifies whether
641.Xr ssh 1
642should terminate the connection if it cannot set up all requested
643dynamic, tunnel, local, and remote port forwardings.
644The argument must be
645.Dq yes
646or
647.Dq no .
648The default is
649.Dq no .
650.It Cm FingerprintHash
651Specifies the hash algorithm used when displaying key fingerprints.
652Valid options are:
653.Dq md5
654and
655.Dq sha256 .
656The default is
657.Dq sha256 .
658.It Cm ForwardAgent
659Specifies whether the connection to the authentication agent (if any)
660will be forwarded to the remote machine.
661The argument must be
662.Dq yes
663or
664.Dq no .
665The default is
666.Dq no .
667.Pp
668Agent forwarding should be enabled with caution.
669Users with the ability to bypass file permissions on the remote host
670(for the agent's Unix-domain socket)
671can access the local agent through the forwarded connection.
672An attacker cannot obtain key material from the agent,
673however they can perform operations on the keys that enable them to
674authenticate using the identities loaded into the agent.
675.It Cm ForwardX11
676Specifies whether X11 connections will be automatically redirected
677over the secure channel and
678.Ev DISPLAY
679set.
680The argument must be
681.Dq yes
682or
683.Dq no .
684The default is
685.Dq no .
686.Pp
687X11 forwarding should be enabled with caution.
688Users with the ability to bypass file permissions on the remote host
689(for the user's X11 authorization database)
690can access the local X11 display through the forwarded connection.
691An attacker may then be able to perform activities such as keystroke monitoring
692if the
693.Cm ForwardX11Trusted
694option is also enabled.
695.It Cm ForwardX11Timeout
696Specify a timeout for untrusted X11 forwarding
697using the format described in the
698TIME FORMATS section of
699.Xr sshd_config 5 .
700X11 connections received by
701.Xr ssh 1
702after this time will be refused.
703The default is to disable untrusted X11 forwarding after twenty minutes has
704elapsed.
705.It Cm ForwardX11Trusted
706If this option is set to
707.Dq yes ,
708remote X11 clients will have full access to the original X11 display.
709.Pp
710If this option is set to
711.Dq no ,
712remote X11 clients will be considered untrusted and prevented
713from stealing or tampering with data belonging to trusted X11
714clients.
715Furthermore, the
716.Xr xauth 1
717token used for the session will be set to expire after 20 minutes.
718Remote clients will be refused access after this time.
719.Pp
720The default is
721.Dq no .
722.Pp
723See the X11 SECURITY extension specification for full details on
724the restrictions imposed on untrusted clients.
725.It Cm GatewayPorts
726Specifies whether remote hosts are allowed to connect to local
727forwarded ports.
728By default,
729.Xr ssh 1
730binds local port forwardings to the loopback address.
731This prevents other remote hosts from connecting to forwarded ports.
732.Cm GatewayPorts
733can be used to specify that ssh
734should bind local port forwardings to the wildcard address,
735thus allowing remote hosts to connect to forwarded ports.
736The argument must be
737.Dq yes
738or
739.Dq no .
740The default is
741.Dq no .
742.It Cm GlobalKnownHostsFile
743Specifies one or more files to use for the global
744host key database, separated by whitespace.
745The default is
746.Pa /etc/ssh/ssh_known_hosts ,
747.Pa /etc/ssh/ssh_known_hosts2 .
748.It Cm GSSAPIAuthentication
749Specifies whether user authentication based on GSSAPI is allowed.
750The default is
751.Dq no .
752Note that this option applies to protocol version 2 only.
753.It Cm GSSAPIDelegateCredentials
754Forward (delegate) credentials to the server.
755The default is
756.Dq no .
757Note that this option applies to protocol version 2 only.
758.It Cm HashKnownHosts
759Indicates that
760.Xr ssh 1
761should hash host names and addresses when they are added to
762.Pa ~/.ssh/known_hosts .
763These hashed names may be used normally by
764.Xr ssh 1
765and
766.Xr sshd 8 ,
767but they do not reveal identifying information should the file's contents
768be disclosed.
769The default is
770.Dq no .
771Note that existing names and addresses in known hosts files
772will not be converted automatically,
773but may be manually hashed using
774.Xr ssh-keygen 1 .
775.It Cm HostbasedAuthentication
776Specifies whether to try rhosts based authentication with public key
777authentication.
778The argument must be
779.Dq yes
780or
781.Dq no .
782The default is
783.Dq no .
784This option applies to protocol version 2 only and
785is similar to
786.Cm RhostsRSAAuthentication .
787.It Cm HostbasedKeyTypes
788Specifies the key types that will be used for hostbased authentication
789as a comma-separated pattern list.
790Alternately if the specified value begins with a
791.Sq +
792character, then the specified key types will be appended to the default set
793instead of replacing them.
794The default for this option is:
795.Bd -literal -offset 3n
796ecdsa-sha2-nistp256-cert-v01@openssh.com,
797ecdsa-sha2-nistp384-cert-v01@openssh.com,
798ecdsa-sha2-nistp521-cert-v01@openssh.com,
799ssh-ed25519-cert-v01@openssh.com,
800ssh-rsa-cert-v01@openssh.com,
801ssh-dss-cert-v01@openssh.com,
802ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
803ecdsa-sha2-nistp521,ssh-ed25519,
804ssh-rsa,ssh-dss
805.Ed
806.Pp
807The
808.Fl Q
809option of
810.Xr ssh 1
811may be used to list supported key types.
812.It Cm HostKeyAlgorithms
813Specifies the protocol version 2 host key algorithms
814that the client wants to use in order of preference.
815Alternately if the specified value begins with a
816.Sq +
817character, then the specified key types will be appended to the default set
818instead of replacing them.
819The default for this option is:
820.Bd -literal -offset 3n
821ecdsa-sha2-nistp256-cert-v01@openssh.com,
822ecdsa-sha2-nistp384-cert-v01@openssh.com,
823ecdsa-sha2-nistp521-cert-v01@openssh.com,
824ssh-ed25519-cert-v01@openssh.com,
825ssh-rsa-cert-v01@openssh.com,
826ssh-dss-cert-v01@openssh.com,
827ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
828ecdsa-sha2-nistp521,ssh-ed25519,
829ssh-rsa,ssh-dss
830.Ed
831.Pp
832If hostkeys are known for the destination host then this default is modified
833to prefer their algorithms.
834.Pp
835The list of available key types may also be obtained using the
836.Fl Q
837option of
838.Xr ssh 1
839with an argument of
840.Dq key .
841.It Cm HostKeyAlias
842Specifies an alias that should be used instead of the
843real host name when looking up or saving the host key
844in the host key database files.
845This option is useful for tunneling SSH connections
846or for multiple servers running on a single host.
847.It Cm HostName
848Specifies the real host name to log into.
849This can be used to specify nicknames or abbreviations for hosts.
850If the hostname contains the character sequence
851.Ql %h ,
852then this will be replaced with the host name specified on the command line
853(this is useful for manipulating unqualified names).
854The character sequence
855.Ql %%
856will be replaced by a single
857.Ql %
858character, which may be used when specifying IPv6 link-local addresses.
859.Pp
860The default is the name given on the command line.
861Numeric IP addresses are also permitted (both on the command line and in
862.Cm HostName
863specifications).
864.It Cm IdentitiesOnly
865Specifies that
866.Xr ssh 1
867should only use the authentication identity files configured in the
868.Nm
869files,
870even if
871.Xr ssh-agent 1
872or a
873.Cm PKCS11Provider
874offers more identities.
875The argument to this keyword must be
876.Dq yes
877or
878.Dq no .
879This option is intended for situations where ssh-agent
880offers many different identities.
881The default is
882.Dq no .
883.It Cm IdentityFile
884Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication
885identity is read.
886The default is
887.Pa ~/.ssh/identity
888for protocol version 1, and
889.Pa ~/.ssh/id_dsa ,
890.Pa ~/.ssh/id_ecdsa ,
891.Pa ~/.ssh/id_ed25519
892and
893.Pa ~/.ssh/id_rsa
894for protocol version 2.
895Additionally, any identities represented by the authentication agent
896will be used for authentication unless
897.Cm IdentitiesOnly
898is set.
899.Xr ssh 1
900will try to load certificate information from the filename obtained by
901appending
902.Pa -cert.pub
903to the path of a specified
904.Cm IdentityFile .
905.Pp
906The file name may use the tilde
907syntax to refer to a user's home directory or one of the following
908escape characters:
909.Ql %d
910(local user's home directory),
911.Ql %u
912(local user name),
913.Ql %l
914(local host name),
915.Ql %h
916(remote host name) or
917.Ql %r
918(remote user name).
919.Pp
920It is possible to have
921multiple identity files specified in configuration files; all these
922identities will be tried in sequence.
923Multiple
924.Cm IdentityFile
925directives will add to the list of identities tried (this behaviour
926differs from that of other configuration directives).
927.Pp
928.Cm IdentityFile
929may be used in conjunction with
930.Cm IdentitiesOnly
931to select which identities in an agent are offered during authentication.
932.It Cm IgnoreUnknown
933Specifies a pattern-list of unknown options to be ignored if they are
934encountered in configuration parsing.
935This may be used to suppress errors if
936.Nm
937contains options that are unrecognised by
938.Xr ssh 1 .
939It is recommended that
940.Cm IgnoreUnknown
941be listed early in the configuration file as it will not be applied
942to unknown options that appear before it.
943.It Cm IPQoS
944Specifies the IPv4 type-of-service or DSCP class for connections.
945Accepted values are
946.Dq af11 ,
947.Dq af12 ,
948.Dq af13 ,
949.Dq af21 ,
950.Dq af22 ,
951.Dq af23 ,
952.Dq af31 ,
953.Dq af32 ,
954.Dq af33 ,
955.Dq af41 ,
956.Dq af42 ,
957.Dq af43 ,
958.Dq cs0 ,
959.Dq cs1 ,
960.Dq cs2 ,
961.Dq cs3 ,
962.Dq cs4 ,
963.Dq cs5 ,
964.Dq cs6 ,
965.Dq cs7 ,
966.Dq ef ,
967.Dq lowdelay ,
968.Dq throughput ,
969.Dq reliability ,
970or a numeric value.
971This option may take one or two arguments, separated by whitespace.
972If one argument is specified, it is used as the packet class unconditionally.
973If two values are specified, the first is automatically selected for
974interactive sessions and the second for non-interactive sessions.
975The default is
976.Dq lowdelay
977for interactive sessions and
978.Dq throughput
979for non-interactive sessions.
980.It Cm KbdInteractiveAuthentication
981Specifies whether to use keyboard-interactive authentication.
982The argument to this keyword must be
983.Dq yes
984or
985.Dq no .
986The default is
987.Dq yes .
988.It Cm KbdInteractiveDevices
989Specifies the list of methods to use in keyboard-interactive authentication.
990Multiple method names must be comma-separated.
991The default is to use the server specified list.
992The methods available vary depending on what the server supports.
993For an OpenSSH server,
994it may be zero or more of:
995.Dq bsdauth ,
996.Dq pam ,
997and
998.Dq skey .
999.It Cm KexAlgorithms
1000Specifies the available KEX (Key Exchange) algorithms.
1001Multiple algorithms must be comma-separated.
1002Alternately if the specified value begins with a
1003.Sq +
1004character, then the specified methods will be appended to the default set
1005instead of replacing them.
1006The default is:
1007.Bd -literal -offset indent
1008curve25519-sha256@libssh.org,
1009ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
1010diffie-hellman-group-exchange-sha256,
1011diffie-hellman-group-exchange-sha1,
1012diffie-hellman-group14-sha1
1013.Ed
1014.Pp
1015The list of available key exchange algorithms may also be obtained using the
1016.Fl Q
1017option of
1018.Xr ssh 1
1019with an argument of
1020.Dq kex .
1021.It Cm LocalCommand
1022Specifies a command to execute on the local machine after successfully
1023connecting to the server.
1024The command string extends to the end of the line, and is executed with
1025the user's shell.
1026The following escape character substitutions will be performed:
1027.Ql %d
1028(local user's home directory),
1029.Ql %h
1030(remote host name),
1031.Ql %l
1032(local host name),
1033.Ql %n
1034(host name as provided on the command line),
1035.Ql %p
1036(remote port),
1037.Ql %r
1038(remote user name) or
1039.Ql %u
1040(local user name) or
1041.Ql \&%C
1042by a hash of the concatenation: %l%h%p%r.
1043.Pp
1044The command is run synchronously and does not have access to the
1045session of the
1046.Xr ssh 1
1047that spawned it.
1048It should not be used for interactive commands.
1049.Pp
1050This directive is ignored unless
1051.Cm PermitLocalCommand
1052has been enabled.
1053.It Cm LocalForward
1054Specifies that a TCP port on the local machine be forwarded over
1055the secure channel to the specified host and port from the remote machine.
1056The first argument must be
1057.Sm off
1058.Oo Ar bind_address : Oc Ar port
1059.Sm on
1060and the second argument must be
1061.Ar host : Ns Ar hostport .
1062IPv6 addresses can be specified by enclosing addresses in square brackets.
1063Multiple forwardings may be specified, and additional forwardings can be
1064given on the command line.
1065Only the superuser can forward privileged ports.
1066By default, the local port is bound in accordance with the
1067.Cm GatewayPorts
1068setting.
1069However, an explicit
1070.Ar bind_address
1071may be used to bind the connection to a specific address.
1072The
1073.Ar bind_address
1074of
1075.Dq localhost
1076indicates that the listening port be bound for local use only, while an
1077empty address or
1078.Sq *
1079indicates that the port should be available from all interfaces.
1080.It Cm LogLevel
1081Gives the verbosity level that is used when logging messages from
1082.Xr ssh 1 .
1083The possible values are:
1084QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
1085The default is INFO.
1086DEBUG and DEBUG1 are equivalent.
1087DEBUG2 and DEBUG3 each specify higher levels of verbose output.
1088.It Cm MACs
1089Specifies the MAC (message authentication code) algorithms
1090in order of preference.
1091The MAC algorithm is used in protocol version 2
1092for data integrity protection.
1093Multiple algorithms must be comma-separated.
1094If the specified value begins with a
1095.Sq +
1096character, then the specified algorithms will be appended to the default set
1097instead of replacing them.
1098.Pp
1099The algorithms that contain
1100.Dq -etm
1101calculate the MAC after encryption (encrypt-then-mac).
1102These are considered safer and their use recommended.
1103.Pp
1104The default is:
1105.Bd -literal -offset indent
1106umac-64-etm@openssh.com,umac-128-etm@openssh.com,
1107hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
1108umac-64@openssh.com,umac-128@openssh.com,
1109hmac-sha2-256,hmac-sha2-512,
1110hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
1111hmac-ripemd160-etm@openssh.com,
1112hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,
1113hmac-md5,hmac-sha1,hmac-ripemd160,
1114hmac-sha1-96,hmac-md5-96
1115.Ed
1116.Pp
1117The list of available MAC algorithms may also be obtained using the
1118.Fl Q
1119option of
1120.Xr ssh 1
1121with an argument of
1122.Dq mac .
1123.It Cm NoHostAuthenticationForLocalhost
1124This option can be used if the home directory is shared across machines.
1125In this case localhost will refer to a different machine on each of
1126the machines and the user will get many warnings about changed host keys.
1127However, this option disables host authentication for localhost.
1128The argument to this keyword must be
1129.Dq yes
1130or
1131.Dq no .
1132The default is to check the host key for localhost.
1133.It Cm NumberOfPasswordPrompts
1134Specifies the number of password prompts before giving up.
1135The argument to this keyword must be an integer.
1136The default is 3.
1137.It Cm PasswordAuthentication
1138Specifies whether to use password authentication.
1139The argument to this keyword must be
1140.Dq yes
1141or
1142.Dq no .
1143The default is
1144.Dq yes .
1145.It Cm PermitLocalCommand
1146Allow local command execution via the
1147.Ic LocalCommand
1148option or using the
1149.Ic !\& Ns Ar command
1150escape sequence in
1151.Xr ssh 1 .
1152The argument must be
1153.Dq yes
1154or
1155.Dq no .
1156The default is
1157.Dq no .
1158.It Cm PKCS11Provider
1159Specifies which PKCS#11 provider to use.
1160The argument to this keyword is the PKCS#11 shared library
1161.Xr ssh 1
1162should use to communicate with a PKCS#11 token providing the user's
1163private RSA key.
1164.It Cm Port
1165Specifies the port number to connect on the remote host.
1166The default is 22.
1167.It Cm PreferredAuthentications
1168Specifies the order in which the client should try protocol 2
1169authentication methods.
1170This allows a client to prefer one method (e.g.\&
1171.Cm keyboard-interactive )
1172over another method (e.g.\&
1173.Cm password ) .
1174The default is:
1175.Bd -literal -offset indent
1176gssapi-with-mic,hostbased,publickey,
1177keyboard-interactive,password
1178.Ed
1179.It Cm Protocol
1180Specifies the protocol versions
1181.Xr ssh 1
1182should support in order of preference.
1183The possible values are
1184.Sq 1
1185and
1186.Sq 2 .
1187Multiple versions must be comma-separated.
1188When this option is set to
1189.Dq 2,1
1190.Nm ssh
1191will try version 2 and fall back to version 1
1192if version 2 is not available.
1193The default is
1194.Sq 2 .
1195.It Cm ProxyCommand
1196Specifies the command to use to connect to the server.
1197The command
1198string extends to the end of the line, and is executed
1199using the user's shell
1200.Ql exec
1201directive to avoid a lingering shell process.
1202.Pp
1203In the command string, any occurrence of
1204.Ql %h
1205will be substituted by the host name to
1206connect,
1207.Ql %p
1208by the port, and
1209.Ql %r
1210by the remote user name.
1211The command can be basically anything,
1212and should read from its standard input and write to its standard output.
1213It should eventually connect an
1214.Xr sshd 8
1215server running on some machine, or execute
1216.Ic sshd -i
1217somewhere.
1218Host key management will be done using the
1219HostName of the host being connected (defaulting to the name typed by
1220the user).
1221Setting the command to
1222.Dq none
1223disables this option entirely.
1224Note that
1225.Cm CheckHostIP
1226is not available for connects with a proxy command.
1227.Pp
1228This directive is useful in conjunction with
1229.Xr nc 1
1230and its proxy support.
1231For example, the following directive would connect via an HTTP proxy at
1232192.0.2.0:
1233.Bd -literal -offset 3n
1234ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
1235.Ed
1236.It Cm ProxyUseFdpass
1237Specifies that
1238.Cm ProxyCommand
1239will pass a connected file descriptor back to
1240.Xr ssh 1
1241instead of continuing to execute and pass data.
1242The default is
1243.Dq no .
1244.It Cm PubkeyAcceptedKeyTypes
1245Specifies the key types that will be used for public key authentication
1246as a comma-separated pattern list.
1247Alternately if the specified value begins with a
1248.Sq +
1249character, then the key types after it will be appended to the default
1250instead of replacing it.
1251The default for this option is:
1252.Bd -literal -offset 3n
1253ecdsa-sha2-nistp256-cert-v01@openssh.com,
1254ecdsa-sha2-nistp384-cert-v01@openssh.com,
1255ecdsa-sha2-nistp521-cert-v01@openssh.com,
1256ssh-ed25519-cert-v01@openssh.com,
1257ssh-rsa-cert-v01@openssh.com,
1258ssh-dss-cert-v01@openssh.com,
1259ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
1260ecdsa-sha2-nistp521,ssh-ed25519,
1261ssh-rsa,ssh-dss
1262.Ed
1263.Pp
1264The
1265.Fl Q
1266option of
1267.Xr ssh 1
1268may be used to list supported key types.
1269.It Cm PubkeyAuthentication
1270Specifies whether to try public key authentication.
1271The argument to this keyword must be
1272.Dq yes
1273or
1274.Dq no .
1275The default is
1276.Dq yes .
1277This option applies to protocol version 2 only.
1278.It Cm RekeyLimit
1279Specifies the maximum amount of data that may be transmitted before the
1280session key is renegotiated, optionally followed a maximum amount of
1281time that may pass before the session key is renegotiated.
1282The first argument is specified in bytes and may have a suffix of
1283.Sq K ,
1284.Sq M ,
1285or
1286.Sq G
1287to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
1288The default is between
1289.Sq 1G
1290and
1291.Sq 4G ,
1292depending on the cipher.
1293The optional second value is specified in seconds and may use any of the
1294units documented in the
1295TIME FORMATS section of
1296.Xr sshd_config 5 .
1297The default value for
1298.Cm RekeyLimit
1299is
1300.Dq default none ,
1301which means that rekeying is performed after the cipher's default amount
1302of data has been sent or received and no time based rekeying is done.
1303This option applies to protocol version 2 only.
1304.It Cm RemoteForward
1305Specifies that a TCP port on the remote machine be forwarded over
1306the secure channel to the specified host and port from the local machine.
1307The first argument must be
1308.Sm off
1309.Oo Ar bind_address : Oc Ar port
1310.Sm on
1311and the second argument must be
1312.Ar host : Ns Ar hostport .
1313IPv6 addresses can be specified by enclosing addresses in square brackets.
1314Multiple forwardings may be specified, and additional
1315forwardings can be given on the command line.
1316Privileged ports can be forwarded only when
1317logging in as root on the remote machine.
1318.Pp
1319If the
1320.Ar port
1321argument is
1322.Ql 0 ,
1323the listen port will be dynamically allocated on the server and reported
1324to the client at run time.
1325.Pp
1326If the
1327.Ar bind_address
1328is not specified, the default is to only bind to loopback addresses.
1329If the
1330.Ar bind_address
1331is
1332.Ql *
1333or an empty string, then the forwarding is requested to listen on all
1334interfaces.
1335Specifying a remote
1336.Ar bind_address
1337will only succeed if the server's
1338.Cm GatewayPorts
1339option is enabled (see
1340.Xr sshd_config 5 ) .
1341.It Cm RequestTTY
1342Specifies whether to request a pseudo-tty for the session.
1343The argument may be one of:
1344.Dq no
1345(never request a TTY),
1346.Dq yes
1347(always request a TTY when standard input is a TTY),
1348.Dq force
1349(always request a TTY) or
1350.Dq auto
1351(request a TTY when opening a login session).
1352This option mirrors the
1353.Fl t
1354and
1355.Fl T
1356flags for
1357.Xr ssh 1 .
1358.It Cm RevokedHostKeys
1359Specifies revoked host public keys.
1360Keys listed in this file will be refused for host authentication.
1361Note that if this file does not exist or is not readable,
1362then host authentication will be refused for all hosts.
1363Keys may be specified as a text file, listing one public key per line, or as
1364an OpenSSH Key Revocation List (KRL) as generated by
1365.Xr ssh-keygen 1 .
1366For more information on KRLs, see the KEY REVOCATION LISTS section in
1367.Xr ssh-keygen 1 .
1368.It Cm RhostsRSAAuthentication
1369Specifies whether to try rhosts based authentication with RSA host
1370authentication.
1371The argument must be
1372.Dq yes
1373or
1374.Dq no .
1375The default is
1376.Dq no .
1377This option applies to protocol version 1 only and requires
1378.Xr ssh 1
1379to be setuid root.
1380.It Cm RSAAuthentication
1381Specifies whether to try RSA authentication.
1382The argument to this keyword must be
1383.Dq yes
1384or
1385.Dq no .
1386RSA authentication will only be
1387attempted if the identity file exists, or an authentication agent is
1388running.
1389The default is
1390.Dq yes .
1391Note that this option applies to protocol version 1 only.
1392.It Cm SendEnv
1393Specifies what variables from the local
1394.Xr environ 7
1395should be sent to the server.
1396Note that environment passing is only supported for protocol 2.
1397The server must also support it, and the server must be configured to
1398accept these environment variables.
1399Note that the
1400.Ev TERM
1401environment variable is always sent whenever a
1402pseudo-terminal is requested as it is required by the protocol.
1403Refer to
1404.Cm AcceptEnv
1405in
1406.Xr sshd_config 5
1407for how to configure the server.
1408Variables are specified by name, which may contain wildcard characters.
1409Multiple environment variables may be separated by whitespace or spread
1410across multiple
1411.Cm SendEnv
1412directives.
1413The default is not to send any environment variables.
1414.Pp
1415See
1416.Sx PATTERNS
1417for more information on patterns.
1418.It Cm ServerAliveCountMax
1419Sets the number of server alive messages (see below) which may be
1420sent without
1421.Xr ssh 1
1422receiving any messages back from the server.
1423If this threshold is reached while server alive messages are being sent,
1424ssh will disconnect from the server, terminating the session.
1425It is important to note that the use of server alive messages is very
1426different from
1427.Cm TCPKeepAlive
1428(below).
1429The server alive messages are sent through the encrypted channel
1430and therefore will not be spoofable.
1431The TCP keepalive option enabled by
1432.Cm TCPKeepAlive
1433is spoofable.
1434The server alive mechanism is valuable when the client or
1435server depend on knowing when a connection has become inactive.
1436.Pp
1437The default value is 3.
1438If, for example,
1439.Cm ServerAliveInterval
1440(see below) is set to 15 and
1441.Cm ServerAliveCountMax
1442is left at the default, if the server becomes unresponsive,
1443ssh will disconnect after approximately 45 seconds.
1444This option applies to protocol version 2 only.
1445.It Cm ServerAliveInterval
1446Sets a timeout interval in seconds after which if no data has been received
1447from the server,
1448.Xr ssh 1
1449will send a message through the encrypted
1450channel to request a response from the server.
1451The default
1452is 0, indicating that these messages will not be sent to the server.
1453This option applies to protocol version 2 only.
1454.It Cm StreamLocalBindMask
1455Sets the octal file creation mode mask
1456.Pq umask
1457used when creating a Unix-domain socket file for local or remote
1458port forwarding.
1459This option is only used for port forwarding to a Unix-domain socket file.
1460.Pp
1461The default value is 0177, which creates a Unix-domain socket file that is
1462readable and writable only by the owner.
1463Note that not all operating systems honor the file mode on Unix-domain
1464socket files.
1465.It Cm StreamLocalBindUnlink
1466Specifies whether to remove an existing Unix-domain socket file for local
1467or remote port forwarding before creating a new one.
1468If the socket file already exists and
1469.Cm StreamLocalBindUnlink
1470is not enabled,
1471.Nm ssh
1472will be unable to forward the port to the Unix-domain socket file.
1473This option is only used for port forwarding to a Unix-domain socket file.
1474.Pp
1475The argument must be
1476.Dq yes
1477or
1478.Dq no .
1479The default is
1480.Dq no .
1481.It Cm StrictHostKeyChecking
1482If this flag is set to
1483.Dq yes ,
1484.Xr ssh 1
1485will never automatically add host keys to the
1486.Pa ~/.ssh/known_hosts
1487file, and refuses to connect to hosts whose host key has changed.
1488This provides maximum protection against trojan horse attacks,
1489though it can be annoying when the
1490.Pa /etc/ssh/ssh_known_hosts
1491file is poorly maintained or when connections to new hosts are
1492frequently made.
1493This option forces the user to manually
1494add all new hosts.
1495If this flag is set to
1496.Dq no ,
1497ssh will automatically add new host keys to the
1498user known hosts files.
1499If this flag is set to
1500.Dq ask ,
1501new host keys
1502will be added to the user known host files only after the user
1503has confirmed that is what they really want to do, and
1504ssh will refuse to connect to hosts whose host key has changed.
1505The host keys of
1506known hosts will be verified automatically in all cases.
1507The argument must be
1508.Dq yes ,
1509.Dq no ,
1510or
1511.Dq ask .
1512The default is
1513.Dq ask .
1514.It Cm TCPKeepAlive
1515Specifies whether the system should send TCP keepalive messages to the
1516other side.
1517If they are sent, death of the connection or crash of one
1518of the machines will be properly noticed.
1519However, this means that
1520connections will die if the route is down temporarily, and some people
1521find it annoying.
1522.Pp
1523The default is
1524.Dq yes
1525(to send TCP keepalive messages), and the client will notice
1526if the network goes down or the remote host dies.
1527This is important in scripts, and many users want it too.
1528.Pp
1529To disable TCP keepalive messages, the value should be set to
1530.Dq no .
1531.It Cm Tunnel
1532Request
1533.Xr tun 4
1534device forwarding between the client and the server.
1535The argument must be
1536.Dq yes ,
1537.Dq point-to-point
1538(layer 3),
1539.Dq ethernet
1540(layer 2),
1541or
1542.Dq no .
1543Specifying
1544.Dq yes
1545requests the default tunnel mode, which is
1546.Dq point-to-point .
1547The default is
1548.Dq no .
1549.It Cm TunnelDevice
1550Specifies the
1551.Xr tun 4
1552devices to open on the client
1553.Pq Ar local_tun
1554and the server
1555.Pq Ar remote_tun .
1556.Pp
1557The argument must be
1558.Sm off
1559.Ar local_tun Op : Ar remote_tun .
1560.Sm on
1561The devices may be specified by numerical ID or the keyword
1562.Dq any ,
1563which uses the next available tunnel device.
1564If
1565.Ar remote_tun
1566is not specified, it defaults to
1567.Dq any .
1568The default is
1569.Dq any:any .
1570.It Cm UpdateHostKeys
1571Specifies whether
1572.Xr ssh 1
1573should accept notifications of additional hostkeys from the server sent
1574after authentication has completed and add them to
1575.Cm UserKnownHostsFile .
1576The argument must be
1577.Dq yes ,
1578.Dq no
1579(the default) or
1580.Dq ask .
1581Enabling this option allows learning alternate hostkeys for a server
1582and supports graceful key rotation by allowing a server to send replacement
1583public keys before old ones are removed.
1584Additional hostkeys are only accepted if the key used to authenticate the
1585host was already trusted or explicity accepted by the user.
1586If
1587.Cm UpdateHostKeys
1588is set to
1589.Dq ask ,
1590then the user is asked to confirm the modifications to the known_hosts file.
1591Confirmation is currently incompatible with
1592.Cm ControlPersist ,
1593and will be disabled if it is enabled.
1594.Pp
1595Presently, only
1596.Xr sshd 8
1597from OpenSSH 6.8 and greater support the
1598.Dq hostkeys@openssh.com
1599protocol extension used to inform the client of all the server's hostkeys.
1600.It Cm UsePrivilegedPort
1601Specifies whether to use a privileged port for outgoing connections.
1602The argument must be
1603.Dq yes
1604or
1605.Dq no .
1606The default is
1607.Dq no .
1608If set to
1609.Dq yes ,
1610.Xr ssh 1
1611must be setuid root.
1612Note that this option must be set to
1613.Dq yes
1614for
1615.Cm RhostsRSAAuthentication
1616with older servers.
1617.It Cm User
1618Specifies the user to log in as.
1619This can be useful when a different user name is used on different machines.
1620This saves the trouble of
1621having to remember to give the user name on the command line.
1622.It Cm UserKnownHostsFile
1623Specifies one or more files to use for the user
1624host key database, separated by whitespace.
1625The default is
1626.Pa ~/.ssh/known_hosts ,
1627.Pa ~/.ssh/known_hosts2 .
1628.It Cm VerifyHostKeyDNS
1629Specifies whether to verify the remote key using DNS and SSHFP resource
1630records.
1631If this option is set to
1632.Dq yes ,
1633the client will implicitly trust keys that match a secure fingerprint
1634from DNS.
1635Insecure fingerprints will be handled as if this option was set to
1636.Dq ask .
1637If this option is set to
1638.Dq ask ,
1639information on fingerprint match will be displayed, but the user will still
1640need to confirm new host keys according to the
1641.Cm StrictHostKeyChecking
1642option.
1643The argument must be
1644.Dq yes ,
1645.Dq no ,
1646or
1647.Dq ask .
1648The default is
1649.Dq yes
1650if compiled with LDNS and
1651.Dq no
1652otherwise.
1653Note that this option applies to protocol version 2 only.
1654.Pp
1655See also VERIFYING HOST KEYS in
1656.Xr ssh 1 .
1657.It Cm VersionAddendum
1658Specifies a string to append to the regular version string to identify
1659OS- or site-specific modifications.
1660The default is
1661.Dq FreeBSD-20160121 .
1662The value
1663.Dq none
1664may be used to disable this.
1665.It Cm VisualHostKey
1666If this flag is set to
1667.Dq yes ,
1668an ASCII art representation of the remote host key fingerprint is
1669printed in addition to the fingerprint string at login and
1670for unknown host keys.
1671If this flag is set to
1672.Dq no ,
1673no fingerprint strings are printed at login and
1674only the fingerprint string will be printed for unknown host keys.
1675The default is
1676.Dq no .
1677.It Cm XAuthLocation
1678Specifies the full pathname of the
1679.Xr xauth 1
1680program.
1681The default is
1682.Pa /usr/local/bin/xauth .
1683.El
1684.Sh PATTERNS
1685A
1686.Em pattern
1687consists of zero or more non-whitespace characters,
1688.Sq *
1689(a wildcard that matches zero or more characters),
1690or
1691.Sq ?\&
1692(a wildcard that matches exactly one character).
1693For example, to specify a set of declarations for any host in the
1694.Dq .co.uk
1695set of domains,
1696the following pattern could be used:
1697.Pp
1698.Dl Host *.co.uk
1699.Pp
1700The following pattern
1701would match any host in the 192.168.0.[0-9] network range:
1702.Pp
1703.Dl Host 192.168.0.?
1704.Pp
1705A
1706.Em pattern-list
1707is a comma-separated list of patterns.
1708Patterns within pattern-lists may be negated
1709by preceding them with an exclamation mark
1710.Pq Sq !\& .
1711For example,
1712to allow a key to be used from anywhere within an organization
1713except from the
1714.Dq dialup
1715pool,
1716the following entry (in authorized_keys) could be used:
1717.Pp
1718.Dl from=\&"!*.dialup.example.com,*.example.com\&"
1719.Sh FILES
1720.Bl -tag -width Ds
1721.It Pa ~/.ssh/config
1722This is the per-user configuration file.
1723The format of this file is described above.
1724This file is used by the SSH client.
1725Because of the potential for abuse, this file must have strict permissions:
1726read/write for the user, and not accessible by others.
1727.It Pa /etc/ssh/ssh_config
1728Systemwide configuration file.
1729This file provides defaults for those
1730values that are not specified in the user's configuration file, and
1731for those users who do not have a configuration file.
1732This file must be world-readable.
1733.El
1734.Sh SEE ALSO
1735.Xr ssh 1
1736.Sh AUTHORS
1737OpenSSH is a derivative of the original and free
1738ssh 1.2.12 release by Tatu Ylonen.
1739Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
1740Theo de Raadt and Dug Song
1741removed many bugs, re-added newer features and
1742created OpenSSH.
1743Markus Friedl contributed the support for SSH
1744protocol versions 1.5 and 2.0.
1745