.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.102 2007/08/15 12:13:41 stevesk Exp $
-.Dd $Mdocdate: August 15 2007 $
+.\" $OpenBSD: ssh_config.5,v 1.119 2009/02/22 23:50:57 djm Exp $
+.Dd $Mdocdate: February 22 2009 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
user's configuration file
.Pq Pa ~/.ssh/config
.It
+GSSAPI configuration file
+.Pq Pa $HOME/.ssh/config.gssapi
+.It
+Kerberos configuration file
+.Pq Pa $HOME/.ssh/config.krb
+.It
system-wide configuration file
.Pq Pa /etc/ssh/ssh_config
.El
.Cm Host
keyword) to be only for those hosts that match one of the patterns
given after the keyword.
+If more than one pattern is provided, they should be separated by whitespace.
A single
.Ql *
as a pattern can be used to provide global
.Dq cast128-cbc .
The default is:
.Bd -literal -offset 3n
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
-aes192-ctr,aes256-ctr
+aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
+aes256-cbc,arcfour
.Ed
.It Cm ClearAllForwardings
Specifies that all local, remote, and dynamic port forwardings
.It Cm GSSAPIAuthentication
Specifies whether user authentication based on GSSAPI is allowed.
The default is
-.Dq no .
+.Dq yes .
+Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI may be used. When using
+GSSAPI key exchange the server need not have a host key.
+The default is
+.Dq yes .
Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIClientIdentity
+If set, specifies the GSSAPI client identity that ssh should use when
+connecting to the server. The default is unset, which means that the default
+identity will be used.
.It Cm GSSAPIDelegateCredentials
Forward (delegate) credentials to the server.
The default is
-.Dq no .
-Note that this option applies to protocol version 2 only.
+.Dq yes .
+Note that this option applies to protocol version 2 connections using GSSAPI.
+.It Cm GSSAPIRenewalForcesRekey
+If set to
+.Dq yes
+then renewal of the client's GSSAPI credentials will force the rekeying of the
+ssh connection. With a compatible server, this can delegate the renewed
+credentials to a session on the server.
+The default is
+.Dq yes .
+.It Cm GSSAPITrustDns
+Set to
+.Dq yes to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If
+.Dq no, the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq yes .
+This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
It is possible to have
multiple identity files specified in configuration files; all these
identities will be tried in sequence.
+.It Cm KbdInteractiveAuthentication
+Specifies whether to use keyboard-interactive authentication.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq yes .
.It Cm KbdInteractiveDevices
Specifies the list of methods to use in keyboard-interactive authentication.
Multiple method names must be comma-separated.
Specifies a command to execute on the local machine after successfully
connecting to the server.
The command string extends to the end of the line, and is executed with
-.Pa /bin/sh .
+the user's shell.
+The following escape character substitutions will be performed:
+.Ql %d
+(local user's home directory),
+.Ql %h
+(remote host name),
+.Ql %l
+(local host name),
+.Ql %n
+(host name as provided on the command line),
+.Ql %p
+(remote port),
+.Ql %r
+(remote user name) or
+.Ql %u
+(local user name).
This directive is ignored unless
.Cm PermitLocalCommand
has been enabled.
over another method (e.g.\&
.Cm password )
The default for this option is:
-.Do gssapi-with-mic ,
+.Do gssapi-keyex ,
+gssapi-with-mic,
hostbased,
publickey,
keyboard-interactive,
Specifies the command to use to connect to the server.
The command
string extends to the end of the line, and is executed with
-.Pa /bin/sh .
+the user's shell.
In the command string,
.Ql %h
will be substituted by the host name to
.Ar host Ns / Ns Ar hostport .
Multiple forwardings may be specified, and additional
forwardings can be given on the command line.
-Only the superuser can forward privileged ports.
+Privileged ports can be forwarded only when
+logging in as root on the remote machine.
+.Pp
+If the
+.Ar port
+argument is
+.Ql 0 ,
+the listen port will be dynamically allocated on the server and reported
+to the client at run time.
.Pp
If the
.Ar bind_address
.Sx VERIFYING HOST KEYS
in
.Xr ssh 1 .
+.It Cm VisualHostKey
+If this flag is set to
+.Dq yes ,
+an ASCII art representation of the remote host key fingerprint is
+printed in addition to the hex fingerprint string at login and
+for unknown host keys.
+If this flag is set to
+.Dq no ,
+no fingerprint strings are printed at login and
+only the hex fingerprint string will be printed for unknown host keys.
+The default is
+.Dq no .
.It Cm XAuthLocation
Specifies the full pathname of the
.Xr xauth 1
andersk / gssapi-openssh.git / blobdiff