X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/476861787f6e1b8a6c6af9307a15b9e57cb979dc..071d8001c928b4929a48dada8d855ebe014b3792:/openssh/ssh_config.5 diff --git a/openssh/ssh_config.5 b/openssh/ssh_config.5 index 17fc0ec..a72a35b 100644 --- a/openssh/ssh_config.5 +++ b/openssh/ssh_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.105 2007/10/29 07:48:19 jmc Exp $ -.Dd $Mdocdate: December 2 2007 $ +.\" $OpenBSD: ssh_config.5,v 1.119 2009/02/22 23:50:57 djm Exp $ +.Dd $Mdocdate: February 22 2009 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -56,6 +56,12 @@ command-line options user's configuration file .Pq Pa ~/.ssh/config .It +GSSAPI configuration file +.Pq Pa $HOME/.ssh/config.gssapi +.It +Kerberos configuration file +.Pq Pa $HOME/.ssh/config.krb +.It system-wide configuration file .Pq Pa /etc/ssh/ssh_config .El @@ -103,6 +109,7 @@ Restricts the following declarations (up to the next .Cm Host keyword) to be only for those hosts that match one of the patterns given after the keyword. +If more than one pattern is provided, they should be separated by whitespace. A single .Ql * as a pattern can be used to provide global @@ -203,9 +210,9 @@ and .Dq cast128-cbc . The default is: .Bd -literal -offset 3n -aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, -arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, -aes192-ctr,aes256-ctr +aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, +aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, +aes256-cbc,arcfour .Ed .It Cm ClearAllForwardings Specifies that all local, remote, and dynamic port forwardings @@ -475,13 +482,40 @@ host key database instead of .It Cm GSSAPIAuthentication Specifies whether user authentication based on GSSAPI is allowed. The default is -.Dq no . +.Dq yes . Note that this option applies to protocol version 2 only. +.It Cm GSSAPIKeyExchange +Specifies whether key exchange based on GSSAPI may be used. When using +GSSAPI key exchange the server need not have a host key. +The default is +.Dq yes . +Note that this option applies to protocol version 2 only. +.It Cm GSSAPIClientIdentity +If set, specifies the GSSAPI client identity that ssh should use when +connecting to the server. The default is unset, which means that the default +identity will be used. .It Cm GSSAPIDelegateCredentials Forward (delegate) credentials to the server. The default is -.Dq no . -Note that this option applies to protocol version 2 only. +.Dq yes . +Note that this option applies to protocol version 2 connections using GSSAPI. +.It Cm GSSAPIRenewalForcesRekey +If set to +.Dq yes +then renewal of the client's GSSAPI credentials will force the rekeying of the +ssh connection. With a compatible server, this can delegate the renewed +credentials to a session on the server. +The default is +.Dq yes . +.It Cm GSSAPITrustDns +Set to +.Dq yes to indicate that the DNS is trusted to securely canonicalize +the name of the host being connected to. If +.Dq no, the hostname entered on the +command line will be passed untouched to the GSSAPI library. +The default is +.Dq yes . +This option only applies to protocol version 2 connections using GSSAPI. .It Cm HashKnownHosts Indicates that .Xr ssh 1 @@ -600,6 +634,21 @@ Specifies a command to execute on the local machine after successfully connecting to the server. The command string extends to the end of the line, and is executed with the user's shell. +The following escape character substitutions will be performed: +.Ql %d +(local user's home directory), +.Ql %h +(remote host name), +.Ql %l +(local host name), +.Ql %n +(host name as provided on the command line), +.Ql %p +(remote port), +.Ql %r +(remote user name) or +.Ql %u +(local user name). This directive is ignored unless .Cm PermitLocalCommand has been enabled. @@ -699,7 +748,9 @@ This allows a client to prefer one method (e.g.\& over another method (e.g.\& .Cm password ) The default for this option is: -.Do gssapi-with-mic , +.Do gssapi-keyex , +external-keyx, +gssapi-with-mic, hostbased, publickey, keyboard-interactive, @@ -795,7 +846,15 @@ and .Ar host Ns / Ns Ar hostport . Multiple forwardings may be specified, and additional forwardings can be given on the command line. -Only the superuser can forward privileged ports. +Privileged ports can be forwarded only when +logging in as root on the remote machine. +.Pp +If the +.Ar port +argument is +.Ql 0 , +the listen port will be dynamically allocated on the server and reported +to the client at run time. .Pp If the .Ar bind_address @@ -1044,6 +1103,18 @@ See also .Sx VERIFYING HOST KEYS in .Xr ssh 1 . +.It Cm VisualHostKey +If this flag is set to +.Dq yes , +an ASCII art representation of the remote host key fingerprint is +printed in addition to the hex fingerprint string at login and +for unknown host keys. +If this flag is set to +.Dq no , +no fingerprint strings are printed at login and +only the hex fingerprint string will be printed for unknown host keys. +The default is +.Dq no . .It Cm XAuthLocation Specifies the full pathname of the .Xr xauth 1