+++ /dev/null
-SSH_CONFIG(5) OpenBSD Programmer's Manual SSH_CONFIG(5)
-
-NAME
- ssh_config - OpenSSH SSH client configuration files
-
-SYNOPSIS
- ~/.ssh/config
- /etc/ssh/ssh_config
-
-DESCRIPTION
- ssh(1) obtains configuration data from the following sources in the fol-
- lowing order:
-
- 1. command-line options
- 2. user's configuration file (~/.ssh/config)
- 3. system-wide configuration file (/etc/ssh/ssh_config)
-
- For each parameter, the first obtained value will be used. The configu-
- ration files contain sections separated by ``Host'' specifications, and
- that section is only applied for hosts that match one of the patterns
- given in the specification. The matched host name is the one given on
- the command line.
-
- Since the first obtained value for each parameter is used, more host-spe-
- cific declarations should be given near the beginning of the file, and
- general defaults at the end.
-
- The configuration file has the following format:
-
- Empty lines and lines starting with `#' are comments. Otherwise a line
- is of the format ``keyword arguments''. Configuration options may be
- separated by whitespace or optional whitespace and exactly one `='; the
- latter format is useful to avoid the need to quote whitespace when speci-
- fying configuration options using the ssh, scp, and sftp -o option. Ar-
- guments may optionally be enclosed in double quotes (") in order to rep-
- resent arguments containing spaces.
-
- The possible keywords and their meanings are as follows (note that key-
- words are case-insensitive and arguments are case-sensitive):
-
- Host Restricts the following declarations (up to the next Host key-
- word) to be only for those hosts that match one of the patterns
- given after the keyword. A single `*' as a pattern can be used
- to provide global defaults for all hosts. The host is the
- hostname argument given on the command line (i.e. the name is not
- converted to a canonicalized host name before matching).
-
- See PATTERNS for more information on patterns.
-
- AddressFamily
- Specifies which address family to use when connecting. Valid ar-
- guments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' (use
- IPv6 only).
-
- BatchMode
- If set to ``yes'', passphrase/password querying will be disabled.
- This option is useful in scripts and other batch jobs where no
- user is present to supply the password. The argument must be
- ``yes'' or ``no''. The default is ``no''.
-
- BindAddress
- Use the specified address on the local machine as the source ad-
- dress of the connection. Only useful on systems with more than
- one address. Note that this option does not work if
- UsePrivilegedPort is set to ``yes''.
-
- ChallengeResponseAuthentication
- Specifies whether to use challenge-response authentication. The
- argument to this keyword must be ``yes'' or ``no''. The default
- is ``yes''.
-
- CheckHostIP
- If this flag is set to ``yes'', ssh(1) will additionally check
- the host IP address in the known_hosts file. This allows ssh to
- detect if a host key changed due to DNS spoofing. If the option
- is set to ``no'', the check will not be executed. The default is
- ``yes''.
-
- Cipher Specifies the cipher to use for encrypting the session in proto-
- col version 1. Currently, ``blowfish'', ``3des'', and ``des''
- are supported. des is only supported in the ssh(1) client for
- interoperability with legacy protocol 1 implementations that do
- not support the 3des cipher. Its use is strongly discouraged due
- to cryptographic weaknesses. The default is ``3des''.
-
- Ciphers
- Specifies the ciphers allowed for protocol version 2 in order of
- preference. Multiple ciphers must be comma-separated. The sup-
- ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'',
- ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
- ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'',
- and ``cast128-cbc''. The default is:
-
- aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
- arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
- aes192-ctr,aes256-ctr
-
- ClearAllForwardings
- Specifies that all local, remote, and dynamic port forwardings
- specified in the configuration files or on the command line be
- cleared. This option is primarily useful when used from the
- ssh(1) command line to clear port forwardings set in configura-
- tion files, and is automatically set by scp(1) and sftp(1). The
- argument must be ``yes'' or ``no''. The default is ``no''.
-
- Compression
- Specifies whether to use compression. The argument must be
- ``yes'' or ``no''. The default is ``no''.
-
- CompressionLevel
- Specifies the compression level to use if compression is enabled.
- The argument must be an integer from 1 (fast) to 9 (slow, best).
- The default level is 6, which is good for most applications. The
- meaning of the values is the same as in gzip(1). Note that this
- option applies to protocol version 1 only.
-
- ConnectionAttempts
- Specifies the number of tries (one per second) to make before ex-
- iting. The argument must be an integer. This may be useful in
- scripts if the connection sometimes fails. The default is 1.
-
- ConnectTimeout
- Specifies the timeout (in seconds) used when connecting to the
- SSH server, instead of using the default system TCP timeout.
- This value is used only when the target is down or really un-
- reachable, not when it refuses the connection.
-
- ControlMaster
- Enables the sharing of multiple sessions over a single network
- connection. When set to ``yes'', ssh(1) will listen for connec-
- tions on a control socket specified using the ControlPath argu-
- ment. Additional sessions can connect to this socket using the
- same ControlPath with ControlMaster set to ``no'' (the default).
- These sessions will try to reuse the master instance's network
- connection rather than initiating new ones, but will fall back to
- connecting normally if the control socket does not exist, or is
- not listening.
-
- Setting this to ``ask'' will cause ssh to listen for control con-
- nections, but require confirmation using the SSH_ASKPASS program
- before they are accepted (see ssh-add(1) for details). If the
- ControlPath cannot be opened, ssh will continue without connect-
- ing to a master instance.
-
- X11 and ssh-agent(1) forwarding is supported over these multi-
- plexed connections, however the display and agent forwarded will
- be the one belonging to the master connection i.e. it is not pos-
- sible to forward multiple displays or agents.
-
- Two additional options allow for opportunistic multiplexing: try
- to use a master connection but fall back to creating a new one if
- one does not already exist. These options are: ``auto'' and
- ``autoask''. The latter requires confirmation like the ``ask''
- option.
-
- ControlPath
- Specify the path to the control socket used for connection shar-
- ing as described in the ControlMaster section above or the string
- ``none'' to disable connection sharing. In the path, `%l' will
- be substituted by the local host name, `%h' will be substituted
- by the target host name, `%p' the port, and `%r' by the remote
- login username. It is recommended that any ControlPath used for
- opportunistic connection sharing include at least %h, %p, and %r.
- This ensures that shared connections are uniquely identified.
-
- DynamicForward
- Specifies that a TCP port on the local machine be forwarded over
- the secure channel, and the application protocol is then used to
- determine where to connect to from the remote machine.
-
- The argument must be [bind_address:]port. IPv6 addresses can be
- specified by enclosing addresses in square brackets or by using
- an alternative syntax: [bind_address/]port. By default, the lo-
- cal port is bound in accordance with the GatewayPorts setting.
- However, an explicit bind_address may be used to bind the connec-
- tion to a specific address. The bind_address of ``localhost''
- indicates that the listening port be bound for local use only,
- while an empty address or `*' indicates that the port should be
- available from all interfaces.
-
- Currently the SOCKS4 and SOCKS5 protocols are supported, and
- ssh(1) will act as a SOCKS server. Multiple forwardings may be
- specified, and additional forwardings can be given on the command
- line. Only the superuser can forward privileged ports.
-
- EnableSSHKeysign
- Setting this option to ``yes'' in the global client configuration
- file /etc/ssh/ssh_config enables the use of the helper program
- ssh-keysign(8) during HostbasedAuthentication. The argument must
- be ``yes'' or ``no''. The default is ``no''. This option should
- be placed in the non-hostspecific section. See ssh-keysign(8)
- for more information.
-
- EscapeChar
- Sets the escape character (default: `~'). The escape character
- can also be set on the command line. The argument should be a
- single character, `^' followed by a letter, or ``none'' to dis-
- able the escape character entirely (making the connection trans-
- parent for binary data).
-
- ExitOnForwardFailure
- Specifies whether ssh(1) should terminate the connection if it
- cannot set up all requested dynamic, local, and remote port for-
- wardings. The argument must be ``yes'' or ``no''. The default
- is ``no''.
-
- ForwardAgent
- Specifies whether the connection to the authentication agent (if
- any) will be forwarded to the remote machine. The argument must
- be ``yes'' or ``no''. The default is ``no''.
-
- Agent forwarding should be enabled with caution. Users with the
- ability to bypass file permissions on the remote host (for the
- agent's Unix-domain socket) can access the local agent through
- the forwarded connection. An attacker cannot obtain key material
- from the agent, however they can perform operations on the keys
- that enable them to authenticate using the identities loaded into
- the agent.
-
- ForwardX11
- Specifies whether X11 connections will be automatically redirect-
- ed over the secure channel and DISPLAY set. The argument must be
- ``yes'' or ``no''. The default is ``no''.
-
- X11 forwarding should be enabled with caution. Users with the
- ability to bypass file permissions on the remote host (for the
- user's X11 authorization database) can access the local X11 dis-
- play through the forwarded connection. An attacker may then be
- able to perform activities such as keystroke monitoring if the
- ForwardX11Trusted option is also enabled.
-
- ForwardX11Trusted
- If this option is set to ``yes'', remote X11 clients will have
- full access to the original X11 display.
-
- If this option is set to ``no'', remote X11 clients will be con-
- sidered untrusted and prevented from stealing or tampering with
- data belonging to trusted X11 clients. Furthermore, the xauth(1)
- token used for the session will be set to expire after 20 min-
- utes. Remote clients will be refused access after this time.
-
- The default is ``no''.
-
- See the X11 SECURITY extension specification for full details on
- the restrictions imposed on untrusted clients.
-
- GatewayPorts
- Specifies whether remote hosts are allowed to connect to local
- forwarded ports. By default, ssh(1) binds local port forwardings
- to the loopback address. This prevents other remote hosts from
- connecting to forwarded ports. GatewayPorts can be used to spec-
- ify that ssh should bind local port forwardings to the wildcard
- address, thus allowing remote hosts to connect to forwarded
- ports. The argument must be ``yes'' or ``no''. The default is
- ``no''.
-
- GlobalKnownHostsFile
- Specifies a file to use for the global host key database instead
- of /etc/ssh/ssh_known_hosts.
-
- GSSAPIAuthentication
- Specifies whether user authentication based on GSSAPI is allowed.
- The default is ``no''. Note that this option applies to protocol
- version 2 only.
-
- GSSAPIDelegateCredentials
- Forward (delegate) credentials to the server. The default is
- ``no''. Note that this option applies to protocol version 2 on-
- ly.
-
- HashKnownHosts
- Indicates that ssh(1) should hash host names and addresses when
- they are added to ~/.ssh/known_hosts. These hashed names may be
- used normally by ssh(1) and sshd(8), but they do not reveal iden-
- tifying information should the file's contents be disclosed. The
- default is ``no''. Note that existing names and addresses in
- known hosts files will not be converted automatically, but may be
- manually hashed using ssh-keygen(1).
-
- HostbasedAuthentication
- Specifies whether to try rhosts based authentication with public
- key authentication. The argument must be ``yes'' or ``no''. The
- default is ``no''. This option applies to protocol version 2 on-
- ly and is similar to RhostsRSAAuthentication.
-
- HostKeyAlgorithms
- Specifies the protocol version 2 host key algorithms that the
- client wants to use in order of preference. The default for this
- option is: ``ssh-rsa,ssh-dss''.
-
- HostKeyAlias
- Specifies an alias that should be used instead of the real host
- name when looking up or saving the host key in the host key
- database files. This option is useful for tunneling SSH connec-
- tions or for multiple servers running on a single host.
-
- HostName
- Specifies the real host name to log into. This can be used to
- specify nicknames or abbreviations for hosts. The default is the
- name given on the command line. Numeric IP addresses are also
- permitted (both on the command line and in HostName specifica-
- tions).
-
- IdentitiesOnly
- Specifies that ssh(1) should only use the authentication identity
- files configured in the ssh_config files, even if ssh-agent(1)
- offers more identities. The argument to this keyword must be
- ``yes'' or ``no''. This option is intended for situations where
- ssh-agent offers many different identities. The default is
- ``no''.
-
- IdentityFile
- Specifies a file from which the user's RSA or DSA authentication
- identity is read. The default is ~/.ssh/identity for protocol
- version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver-
- sion 2. Additionally, any identities represented by the authen-
- tication agent will be used for authentication.
-
- The file name may use the tilde syntax to refer to a user's home
- directory or one of the following escape characters: `%d' (local
- user's home directory), `%u' (local user name), `%l' (local host
- name), `%h' (remote host name) or `%r' (remote user name).
-
- It is possible to have multiple identity files specified in con-
- figuration files; all these identities will be tried in sequence.
-
- KbdInteractiveDevices
- Specifies the list of methods to use in keyboard-interactive au-
- thentication. Multiple method names must be comma-separated.
- The default is to use the server specified list. The methods
- available vary depending on what the server supports. For an
- OpenSSH server, it may be zero or more of: ``bsdauth'', ``pam'',
- and ``skey''.
-
- LocalCommand
- Specifies a command to execute on the local machine after suc-
- cessfully connecting to the server. The command string extends
- to the end of the line, and is executed with /bin/sh. This di-
- rective is ignored unless PermitLocalCommand has been enabled.
-
- LocalForward
- Specifies that a TCP port on the local machine be forwarded over
- the secure channel to the specified host and port from the remote
- machine. The first argument must be [bind_address:]port and the
- second argument must be host:hostport. IPv6 addresses can be
- specified by enclosing addresses in square brackets or by using
- an alternative syntax: [bind_address/]port and host/hostport.
- Multiple forwardings may be specified, and additional forwardings
- can be given on the command line. Only the superuser can forward
- privileged ports. By default, the local port is bound in accor-
- dance with the GatewayPorts setting. However, an explicit
- bind_address may be used to bind the connection to a specific ad-
- dress. The bind_address of ``localhost'' indicates that the lis-
- tening port be bound for local use only, while an empty address
- or `*' indicates that the port should be available from all in-
- terfaces.
-
- LogLevel
- Gives the verbosity level that is used when logging messages from
- ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, VER-
- BOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.
- DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
- higher levels of verbose output.
-
- MACs Specifies the MAC (message authentication code) algorithms in or-
- der of preference. The MAC algorithm is used in protocol version
- 2 for data integrity protection. Multiple algorithms must be
- comma-separated. The default is: ``hmac-md5,hmac-sha1,hmac-
- ripemd160,hmac-sha1-96,hmac-md5-96''.
-
- NoHostAuthenticationForLocalhost
- This option can be used if the home directory is shared across
- machines. In this case localhost will refer to a different ma-
- chine on each of the machines and the user will get many warnings
- about changed host keys. However, this option disables host au-
- thentication for localhost. The argument to this keyword must be
- ``yes'' or ``no''. The default is to check the host key for lo-
- calhost.
-
- NumberOfPasswordPrompts
- Specifies the number of password prompts before giving up. The
- argument to this keyword must be an integer. The default is 3.
-
- PasswordAuthentication
- Specifies whether to use password authentication. The argument
- to this keyword must be ``yes'' or ``no''. The default is
- ``yes''.
-
- PermitLocalCommand
- Allow local command execution via the LocalCommand option or us-
- ing the !command escape sequence in ssh(1). The argument must be
- ``yes'' or ``no''. The default is ``no''.
-
- Port Specifies the port number to connect on the remote host. The de-
- fault is 22.
-
- PreferredAuthentications
- Specifies the order in which the client should try protocol 2 au-
- thentication methods. This allows a client to prefer one method
- (e.g. keyboard-interactive) over another method (e.g. password)
- The default for this option is: ``gssapi-with-mic,hostbased,
- publickey, keyboard-interactive, password''.
-
- Protocol
- Specifies the protocol versions ssh(1) should support in order of
- preference. The possible values are `1' and `2'. Multiple ver-
- sions must be comma-separated. The default is ``2,1''. This
- means that ssh tries version 2 and falls back to version 1 if
- version 2 is not available.
-
- ProxyCommand
- Specifies the command to use to connect to the server. The com-
- mand string extends to the end of the line, and is executed with
- /bin/sh. In the command string, `%h' will be substituted by the
- host name to connect and `%p' by the port. The command can be
- basically anything, and should read from its standard input and
- write to its standard output. It should eventually connect an
- sshd(8) server running on some machine, or execute sshd -i some-
- where. Host key management will be done using the HostName of
- the host being connected (defaulting to the name typed by the us-
- er). Setting the command to ``none'' disables this option en-
- tirely. Note that CheckHostIP is not available for connects with
- a proxy command.
-
- This directive is useful in conjunction with nc(1) and its proxy
- support. For example, the following directive would connect via
- an HTTP proxy at 192.0.2.0:
-
- ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
-
- PubkeyAuthentication
- Specifies whether to try public key authentication. The argument
- to this keyword must be ``yes'' or ``no''. The default is
- ``yes''. This option applies to protocol version 2 only.
-
- RekeyLimit
- Specifies the maximum amount of data that may be transmitted be-
- fore the session key is renegotiated. The argument is the number
- of bytes, with an optional suffix of `K', `M', or `G' to indicate
- Kilobytes, Megabytes, or Gigabytes, respectively. The default is
- between `1G' and `4G', depending on the cipher. This option ap-
- plies to protocol version 2 only.
-
- RemoteForward
- Specifies that a TCP port on the remote machine be forwarded over
- the secure channel to the specified host and port from the local
- machine. The first argument must be [bind_address:]port and the
- second argument must be host:hostport. IPv6 addresses can be
- specified by enclosing addresses in square brackets or by using
- an alternative syntax: [bind_address/]port and host/hostport.
- Multiple forwardings may be specified, and additional forwardings
- can be given on the command line. Only the superuser can forward
- privileged ports.
-
- If the bind_address is not specified, the default is to only bind
- to loopback addresses. If the bind_address is `*' or an empty
- string, then the forwarding is requested to listen on all inter-
- faces. Specifying a remote bind_address will only succeed if the
- server's GatewayPorts option is enabled (see sshd_config(5)).
-
- RhostsRSAAuthentication
- Specifies whether to try rhosts based authentication with RSA
- host authentication. The argument must be ``yes'' or ``no''.
- The default is ``no''. This option applies to protocol version 1
- only and requires ssh(1) to be setuid root.
-
- RSAAuthentication
- Specifies whether to try RSA authentication. The argument to
- this keyword must be ``yes'' or ``no''. RSA authentication will
- only be attempted if the identity file exists, or an authentica-
- tion agent is running. The default is ``yes''. Note that this
- option applies to protocol version 1 only.
-
- SendEnv
- Specifies what variables from the local environ(7) should be sent
- to the server. Note that environment passing is only supported
- for protocol 2. The server must also support it, and the server
- must be configured to accept these environment variables. Refer
- to AcceptEnv in sshd_config(5) for how to configure the server.
- Variables are specified by name, which may contain wildcard char-
- acters. Multiple environment variables may be separated by
- whitespace or spread across multiple SendEnv directives. The de-
- fault is not to send any environment variables.
-
- See PATTERNS for more information on patterns.
-
- ServerAliveCountMax
- Sets the number of server alive messages (see below) which may be
- sent without ssh(1) receiving any messages back from the server.
- If this threshold is reached while server alive messages are be-
- ing sent, ssh will disconnect from the server, terminating the
- session. It is important to note that the use of server alive
- messages is very different from TCPKeepAlive (below). The server
- alive messages are sent through the encrypted channel and there-
- fore will not be spoofable. The TCP keepalive option enabled by
- TCPKeepAlive is spoofable. The server alive mechanism is valu-
- able when the client or server depend on knowing when a connec-
- tion has become inactive.
-
- The default value is 3. If, for example, ServerAliveInterval
- (see below) is set to 15 and ServerAliveCountMax is left at the
- default, if the server becomes unresponsive, ssh will disconnect
- after approximately 45 seconds. This option applies to protocol
- version 2 only.
-
- ServerAliveInterval
- Sets a timeout interval in seconds after which if no data has
- been received from the server, ssh(1) will send a message through
- the encrypted channel to request a response from the server. The
- default is 0, indicating that these messages will not be sent to
- the server. This option applies to protocol version 2 only.
-
- SmartcardDevice
- Specifies which smartcard device to use. The argument to this
- keyword is the device ssh(1) should use to communicate with a
- smartcard used for storing the user's private RSA key. By de-
- fault, no device is specified and smartcard support is not acti-
- vated.
-
- StrictHostKeyChecking
- If this flag is set to ``yes'', ssh(1) will never automatically
- add host keys to the ~/.ssh/known_hosts file, and refuses to con-
- nect to hosts whose host key has changed. This provides maximum
- protection against trojan horse attacks, though it can be annoy-
- ing when the /etc/ssh/ssh_known_hosts file is poorly maintained
- or when connections to new hosts are frequently made. This op-
- tion forces the user to manually add all new hosts. If this flag
- is set to ``no'', ssh will automatically add new host keys to the
- user known hosts files. If this flag is set to ``ask'', new host
- keys will be added to the user known host files only after the
- user has confirmed that is what they really want to do, and ssh
- will refuse to connect to hosts whose host key has changed. The
- host keys of known hosts will be verified automatically in all
- cases. The argument must be ``yes'', ``no'', or ``ask''. The
- default is ``ask''.
-
- TCPKeepAlive
- Specifies whether the system should send TCP keepalive messages
- to the other side. If they are sent, death of the connection or
- crash of one of the machines will be properly noticed. However,
- this means that connections will die if the route is down tem-
- porarily, and some people find it annoying.
-
- The default is ``yes'' (to send TCP keepalive messages), and the
- client will notice if the network goes down or the remote host
- dies. This is important in scripts, and many users want it too.
-
- To disable TCP keepalive messages, the value should be set to
- ``no''.
-
- Tunnel Request tun(4) device forwarding between the client and the serv-
- er. The argument must be ``yes'', ``point-to-point'' (layer 3),
- ``ethernet'' (layer 2), or ``no''. Specifying ``yes'' requests
- the default tunnel mode, which is ``point-to-point''. The de-
- fault is ``no''.
-
- TunnelDevice
- Specifies the tun(4) devices to open on the client (local_tun)
- and the server (remote_tun).
-
- The argument must be local_tun[:remote_tun]. The devices may be
- specified by numerical ID or the keyword ``any'', which uses the
- next available tunnel device. If remote_tun is not specified, it
- defaults to ``any''. The default is ``any:any''.
-
- UsePrivilegedPort
- Specifies whether to use a privileged port for outgoing connec-
- tions. The argument must be ``yes'' or ``no''. The default is
- ``no''. If set to ``yes'', ssh(1) must be setuid root. Note
- that this option must be set to ``yes'' for
- RhostsRSAAuthentication with older servers.
-
- User Specifies the user to log in as. This can be useful when a dif-
- ferent user name is used on different machines. This saves the
- trouble of having to remember to give the user name on the com-
- mand line.
-
- UserKnownHostsFile
- Specifies a file to use for the user host key database instead of
- ~/.ssh/known_hosts.
-
- VerifyHostKeyDNS
- Specifies whether to verify the remote key using DNS and SSHFP
- resource records. If this option is set to ``yes'', the client
- will implicitly trust keys that match a secure fingerprint from
- DNS. Insecure fingerprints will be handled as if this option was
- set to ``ask''. If this option is set to ``ask'', information on
- fingerprint match will be displayed, but the user will still need
- to confirm new host keys according to the StrictHostKeyChecking
- option. The argument must be ``yes'', ``no'', or ``ask''. The
- default is ``no''. Note that this option applies to protocol
- version 2 only.
-
- See also VERIFYING HOST KEYS in ssh(1).
-
- XAuthLocation
- Specifies the full pathname of the xauth(1) program. The default
- is /usr/X11R6/bin/xauth.
-
-PATTERNS
- A pattern consists of zero or more non-whitespace characters, `*' (a
- wildcard that matches zero or more characters), or `?' (a wildcard that
- matches exactly one character). For example, to specify a set of decla-
- rations for any host in the ``.co.uk'' set of domains, the following pat-
- tern could be used:
-
- Host *.co.uk
-
- The following pattern would match any host in the 192.168.0.[0-9] network
- range:
-
- Host 192.168.0.?
-
- A pattern-list is a comma-separated list of patterns. Patterns within
- pattern-lists may be negated by preceding them with an exclamation mark
- (`!'). For example, to allow a key to be used from anywhere within an
- organisation except from the ``dialup'' pool, the following entry (in au-
- thorized_keys) could be used:
-
- from="!*.dialup.example.com,*.example.com"
-
-FILES
- ~/.ssh/config
- This is the per-user configuration file. The format of this file
- is described above. This file is used by the SSH client. Be-
- cause of the potential for abuse, this file must have strict per-
- missions: read/write for the user, and not accessible by others.
-
- /etc/ssh/ssh_config
- Systemwide configuration file. This file provides defaults for
- those values that are not specified in the user's configuration
- file, and for those users who do not have a configuration file.
- This file must be world-readable.
-
-SEE ALSO
- ssh(1)
-
-AUTHORS
- OpenSSH is a derivative of the original and free ssh 1.2.12 release by
- Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
- de Raadt and Dug Song removed many bugs, re-added newer features and cre-
- ated OpenSSH. Markus Friedl contributed the support for SSH protocol
- versions 1.5 and 2.0.
-
-OpenBSD 4.0 September 25, 1999 10