openssh-portable/ssh_config

#	$OpenBSD: ssh_config,v 1.36 2023/08/02 23:04:38 djm Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP no
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
upstream: CheckHostIP has defaulted to 'no' for a while; make the commented- out config option match. From Ed Maste OpenBSD-Commit-ID: e66e934c45a9077cb1d51fc4f8d3df4505db58d9 2023-08-03 01:04:38 +02:00			`# $OpenBSD: ssh_config,v 1.36 2023/08/02 23:04:38 djm Exp $`
- niklas@cvs.openbsd.org 2001/01/2001 [atomicio.h canohost.h clientloop.h deattack.h dh.h dispatch.h groupaccess.c groupaccess.h hmac.h hostfile.h includes.h kex.h key.h log.h login.h match.h misc.h myproposal.h nchan.ms pathnames.h radix.h readpass.h rijndael.h serverloop.h session.h sftp.h ssh-add.1 ssh-dss.h ssh-keygen.1 ssh-keyscan.1 ssh-rsa.h ssh1.h ssh_config sshconnect.h sshd_config tildexpand.h uidswap.h uuencode.h] $OpenBSD$ 2001-01-29 08:39:26 +01:00
- stevesk@cvs.openbsd.org 2002/06/20 20:03:34 [ssh_config sshd_config] refer to config file man page 2002-06-21 03:06:03 +02:00			`# This is the ssh client system-wide configuration file. See`
			`# ssh_config(5) for more information. This file provides defaults for`
			`# users, and the values can be changed in per-user configuration files`
			`# or on the command line.`
Initial revision 1999-10-27 05:42:43 +02:00
			`# Configuration data is parsed as follows:`
			`# 1. command line options`
			`# 2. user-specific file`
			`# 3. system-wide file`
			`# Any configuration value is only changed the first time it is set.`
			`# Thus, host-specific definitions should be at the beginning of the`
			`# configuration file, and defaults at the end.`

- dtucker@cvs.openbsd.org 2005/01/28 09:45:53 [ssh_config] Make it clear that the example entries in ssh_config are only some of the commonly-used options and refer the user to ssh_config(5) for more details; ok djm@ 2005-02-08 23:46:47 +01:00			`# Site-wide defaults for some commonly used options. For a comprehensive`
			`# list of available options, their meanings and defaults, please see the`
			`# ssh_config(5) man page.`
Initial revision 1999-10-27 05:42:43 +02:00
			`# Host *`
- (djm) Merge OpenBSD changes: - markus@cvs.openbsd.org 2000/11/06 16:04:56 [channels.c channels.h clientloop.c nchan.c serverloop.c] [session.c ssh.c] agent forwarding and -R for ssh2, based on work from jhuuskon@messi.uku.fi - markus@cvs.openbsd.org 2000/11/06 16:13:27 [ssh.c sshconnect.c sshd.c] do not disabled rhosts(rsa) if server port > 1024; from pekkas@netcore.fi - markus@cvs.openbsd.org 2000/11/06 16:16:35 [sshconnect.c] downgrade client to 1.3 if server is 1.4; help from mdb@juniper.net - markus@cvs.openbsd.org 2000/11/09 18:04:40 [auth1.c] typo; from mouring@pconline.com - markus@cvs.openbsd.org 2000/11/12 12:03:28 [ssh-agent.c] off-by-one when removing a key from the agent - markus@cvs.openbsd.org 2000/11/12 12:50:39 [auth-rh-rsa.c auth2.c authfd.c authfd.h] [authfile.c hostfile.c kex.c kex.h key.c key.h myproposal.h] [readconf.c readconf.h rsa.c rsa.h servconf.c servconf.h ssh-add.c] [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config] [sshconnect1.c sshconnect2.c sshd.8 sshd.c sshd_config ssh-dss.c] [ssh-dss.h ssh-rsa.c ssh-rsa.h dsa.c dsa.h] add support for RSA to SSH2. please test. there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2. you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys. SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before. - (djm) Fix up Makefile and Redhat init script to create RSA host keys - (djm) Change to interim version 2000-11-13 12:57:25 +01:00			`# ForwardAgent no`
			`# ForwardX11 no`
Initial revision 1999-10-27 05:42:43 +02:00			`# PasswordAuthentication yes`
- markus@cvs.openbsd.org 2002/07/03 14:21:05 [ssh-keysign.8 ssh-keysign.c ssh.c ssh_config] re-enable ssh-keysign's sbit, but make ssh-keysign read /etc/ssh/ssh_config and exit if HostbasedAuthentication is disabled globally. based on discussions with deraadt, itojun and sommerfeld; ok itojun@ 2002-07-04 02:19:40 +02:00			`# HostbasedAuthentication no`
- dtucker@cvs.openbsd.org 2006/05/29 12:56:33 [ssh_config] Add GSSAPIAuthentication and GSSAPIDelegateCredentials to examples in sample ssh_config. ok markus@ 2006-06-13 05:01:09 +02:00			`# GSSAPIAuthentication no`
			`# GSSAPIDelegateCredentials no`
Initial revision 1999-10-27 05:42:43 +02:00			`# BatchMode no`
upstream: CheckHostIP has defaulted to 'no' for a while; make the commented- out config option match. From Ed Maste OpenBSD-Commit-ID: e66e934c45a9077cb1d51fc4f8d3df4505db58d9 2023-08-03 01:04:38 +02:00			`# CheckHostIP no`
- djm@cvs.openbsd.org 2003/05/16 03:27:12 [readconf.c ssh_config ssh_config.5 ssh-keysign.c] add AddressFamily option to ssh_config (like -4, -6 on commandline). Portable bug #534; ok markus@ 2003-05-18 12:50:30 +02:00			`# AddressFamily any`
- djm@cvs.openbsd.org 2003/05/15 14:55:25 [readconf.c readconf.h ssh_config ssh_config.5 sshconnect.c] add a ConnectTimeout option to ssh, based on patch from Jean-Charles Longuet (jclonguet at free.fr); portable #207 ok markus@ 2003-05-16 03:39:04 +02:00			`# ConnectTimeout 0`
- stevesk@cvs.openbsd.org 2002/01/16 17:55:33 [ssh_config] correct some commented defaults. add Ciphers default. ok markus@ 2002-01-22 13:32:39 +01:00			`# StrictHostKeyChecking ask`
- todd@cvs.openbsd.org 2001/04/03 21:19:38 [ssh_config] id_rsa1/2 -> id_rsa; ok markus@ 2001-04-04 03:58:48 +02:00			`# IdentityFile ~/.ssh/id_rsa`
- stevesk@cvs.openbsd.org 2002/01/16 17:55:33 [ssh_config] correct some commented defaults. add Ciphers default. ok markus@ 2002-01-22 13:32:39 +01:00			`# IdentityFile ~/.ssh/id_dsa`
upstream commit add missing ~/.ssh/id_ecdsa and ~/.ssh/id_ed25519 to IdentityFile. ok djm@ Upstream-ID: 6ce99466312e4ae7708017c3665e3edb976f70cf 2016-02-21 00:02:39 +01:00			`# IdentityFile ~/.ssh/id_ecdsa`
			`# IdentityFile ~/.ssh/id_ed25519`
Initial revision 1999-10-27 05:42:43 +02:00			`# Port 22`
upstream commit As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@ Upstream-ID: 21f8facdba3fd8da248df6417000867cec6ba222 2017-05-08 01:12:57 +02:00			`# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc`
			`# MACs hmac-md5,hmac-sha1,umac-64@openssh.com`
Initial revision 1999-10-27 05:42:43 +02:00			`# EscapeChar ~`
- reyk@cvs.openbsd.org 2005/12/06 22:38:28 [auth-options.c auth-options.h channels.c channels.h clientloop.c] [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h] [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c] [sshconnect.h sshd.8 sshd_config sshd_config.5] Add support for tun(4) forwarding over OpenSSH, based on an idea and initial channel code bits by markus@. This is a simple and easy way to use OpenSSH for ad hoc virtual private network connections, e.g. administrative tunnels or secure wireless access. It's based on a new ssh channel and works similar to the existing TCP forwarding support, except that it depends on the tun(4) network interface on both ends of the connection for layer 2 or layer 3 tunneling. This diff also adds support for LocalCommand in the ssh(1) client. ok djm@, markus@, jmc@ (manpages), tested and discussed with others 2005-12-13 09:29:02 +01:00			`# Tunnel no`
			`# TunnelDevice any:any`
			`# PermitLocalCommand no`
- grunk@cvs.openbsd.org 2008/07/25 06:56:35 [ssh_config] Add VisualHostKey to example file, ok djm@ 2008-11-03 09:15:44 +01:00			`# VisualHostKey no`
- dtucker@cvs.openbsd.org 2010/01/11 01:39:46 [ssh_config channels.c ssh.1 channels.h ssh.c] Add a 'netcat mode' (ssh -W). This connects stdio on the client to a single port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers. bz #1618, man page help from jmc@, ok markus@ 2010-01-12 09:40:27 +01:00			`# ProxyCommand ssh -q -W %h:%p gateway.example.com`
- dtucker@cvs.openbsd.org 2013/05/16 02:00:34 [ssh_config sshconnect2.c packet.c readconf.h readconf.c clientloop.c ssh_config.5 packet.h] Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm 2013-05-16 12:28:16 +02:00			`# RekeyLimit 1G 1h`
upstream: Add a '%k' TOKEN that expands to the effective HostKey of the destination. This allows, eg, keeping host keys in individual files using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654, ok djm@, jmc@ (man page bits) OpenBSD-Commit-ID: 7084d723c9cc987a5c47194219efd099af5beadc 2020-07-17 05:43:42 +02:00			`# UserKnownHostsFile ~/.ssh/known_hosts.d/%k`