PanicアプリにおけるSSH Config設定の動作について
SSHはある種の複雑な迷路のようなもので、サーバへの接続時に必要な設定を ~/.ssh/config ファイル記述しておく必要があります。以下はPanicアプリでサポートされているすべての設定と、公式の man ページの記述および、これらのオプションがPanicアプリでどのように扱われ、またその際の注意事項のリストです。
Hostname
現時点でNovaのGit機能と互換性がありません。
Specifies the real host name to log into. This can be used
to specify nicknames or abbreviations for hosts. Arguments
to Hostname accept the tokens described in the TOKENS
section. Numeric IP addresses are also permitted (both on
the command line and in Hostname specifications). The
default is the name given on the command line.
User
Specifies the user to log in as. This can be useful when a
different user name is used on different machines. This
saves the trouble of having to remember to give the user
name on the command line.
Port
Specifies the port number to connect on the remote host.
The default is 22.
IdentityAgent
SSH_AUTH_SOCKの代わりに使用できます。
Specifies the UNIX-domain socket used to communicate with
the authentication agent.
This option overrides the SSH_AUTH_SOCK environment
variable and can be used to select a specific agent.
Setting the socket name to none disables the use of an
authentication agent. If the string "SSH_AUTH_SOCK" is
specified, the location of the socket will be read from the
SSH_AUTH_SOCK environment variable. Otherwise if the
specified value begins with a ‘$’ character, then it will
be treated as an environment variable containing the
location of the socket.
Arguments to IdentityAgent may use the tilde syntax to
refer to a user's home directory
IdentityFile
Specifies a file from which the user's DSA, ECDSA,
authenticator-hosted ECDSA, Ed25519, authenticator-hosted
Ed25519 or RSA authentication identity is read. The
default is ~/.ssh/id_dsa, ~/.ssh/id_ecdsa,
~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, ~/.ssh/id_ed25519_sk
and ~/.ssh/id_rsa. Additionally, any identities
represented by the authentication agent will be used for
authentication unless IdentitiesOnly is set. If no
certificates have been explicitly specified by
CertificateFile, ssh(1) will try to load certificate
information from the filename obtained by appending
-cert.pub to the path of a specified IdentityFile.
Arguments to IdentityFile may use the tilde syntax to refer
to a user's home directory or the tokens described in the
TOKENS section.
It is possible to have multiple identity files specified in
configuration files; all these identities will be tried in
sequence. Multiple IdentityFile directives will add to the
list of identities tried (this behaviour differs from that
of other configuration directives).
IdentityFile may be used in conjunction with IdentitiesOnly
to select which identities in an agent are offered during
authentication. IdentityFile may also be used in
conjunction with CertificateFile in order to provide any
certificate also needed for authentication with the
identity.
ProxyJump
** Prompt 3でのみサポートされます。 **
Specifies one or more jump proxies as either
[user@]host[:port] or an ssh URI. Multiple proxies may be
separated by comma characters and will be visited
sequentially. Setting this option will cause ssh(1) to
connect to the target host by first making a ssh(1)
connection to the specified ProxyJump host and then
establishing a TCP forwarding to the ultimate target from
there. Setting the host to none disables this option
entirely.
Note that this option will compete with the ProxyCommand
option - whichever is specified first will prevent later
instances of the other from taking effect.
Note also that the configuration for the destination host
(either supplied via the command-line or the configuration
file) is not generally applied to jump hosts. ~/.ssh/config
should be used if specific configuration is required for
jump hosts.
ProxyCommand
現時点で %h', %p と %r のみサポート。他のトークンも将来サポート予定です。
Specifies the command to use to connect to the server. The
command string extends to the end of the line, and is
executed using the user's shell ‘exec’ directive to avoid a
lingering shell process.
ProxyUseFdpass
Specifies that ProxyCommand will pass a connected file
descriptor back to ssh(1) instead of continuing to execute
and pass data. The default is no.
UserKnownHostsFile
Specifies one or more files to use for the user host key
database, separated by whitespace. Each filename may use
tilde notation to refer to the user's home directory, the
tokens described in the TOKENS section and environment
variables as described in the ENVIRONMENT VARIABLES
section. The default is ~/.ssh/known_hosts,
~/.ssh/known_hosts2.
HashKnownHosts
Indicates that ssh(1) should hash host names and addresses
when they are added to ~/.ssh/known_hosts. These hashed
names may be used normally by ssh(1) and sshd(8), but they
do not visually reveal identifying information if the
file's contents are disclosed. The default is no. Note
that existing names and addresses in known hosts files will
not be converted automatically, but may be manually hashed
using ssh-keygen(1).
StrictHostKeyChecking
accept-new は未サポートで、単に yes として扱われます。
If this flag is set to yes, ssh(1) will never automatically
add host keys to the ~/.ssh/known_hosts file, and refuses
to connect to hosts whose host key has changed. This
provides maximum protection against man-in-the-middle
(MITM) attacks, though it can be annoying when the
/etc/ssh/ssh_known_hosts file is poorly maintained or when
connections to new hosts are frequently made. This option
forces the user to manually add all new hosts.
If this flag is set to “accept-new” then ssh will
automatically add new host keys to the user's known_hosts
file, but will not permit connections to hosts with changed
host keys. If this flag is set to “no” or “off”, ssh will
automatically add new host keys to the user known hosts
files and allow connections to hosts with changed hostkeys
to proceed, subject to some restrictions. If this flag is
set to ask (the default), new host keys will be added to
the user known host files only after the user has confirmed
that is what they really want to do, and ssh will refuse to
connect to hosts whose host key has changed. The host keys
of known hosts will be verified automatically in all cases.
NoHostAuthenticationForLocalhost
TransmitおよびNovaのファイルブラウザで、SFTP接続時のみサポートされます。HostKeyAliasは未定義である必要があり、使われません。
Disable host authentication for localhost (loopback
addresses). The argument to this keyword must be yes or no
(the default).
HostKeyAlgorithms
Specifies the host key signature algorithms that the client
wants to use in order of preference. Alternately if the
specified list begins with a ‘+’ character, then the
specified signature algorithms will be appended to the
default set instead of replacing them. If the specified
list begins with a ‘-’ character, then the specified
signature algorithms (including wildcards) will be removed
from the default set instead of replacing them. If the
specified list begins with a ‘^’ character, then the
specified signature algorithms will be placed at the head
of the default set.
KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated. If the
specified list begins with a ‘+’ character, then the
specified methods will be appended to the default set
instead of replacing them. If the specified list begins
with a ‘-’ character, then the specified methods (including
wildcards) will be removed from the default set instead of
replacing them. If the specified list begins with a ‘^’
character, then the specified methods will be placed at the
head of the default set.
Ciphers
Specifies the ciphers allowed and their order of
preference. Multiple ciphers must be comma-separated. If
the specified list begins with a ‘+’ character, then the
specified ciphers will be appended to the default set
instead of replacing them. If the specified list begins
with a ‘-’ character, then the specified ciphers (including
wildcards) will be removed from the default set instead of
replacing them. If the specified list begins with a ‘^’
character, then the specified ciphers will be placed at the
head of the default set.
MACs
Specifies the MAC (message authentication code) algorithms
in order of preference. The MAC algorithm is used for data
integrity protection. Multiple algorithms must be comma-
separated. If the specified list begins with a ‘+’
character, then the specified algorithms will be appended
to the default set instead of replacing them. If the
specified list begins with a ‘-’ character, then the
specified algorithms (including wildcards) will be removed
from the default set instead of replacing them. If the
specified list begins with a ‘^’ character, then the
specified algorithms will be placed at the head of the
default set.
IdentitiesOnly
Transmit 5.8.0以降および、Nova 8.0以降でのみサポートされます。
Specifies that ssh(1) should only use the configured
authentication identity and certificate files (either the
default files, or those explicitly configured in the
ssh_config files or passed on the ssh(1) command-line),
even if ssh-agent(1) or a PKCS11Provider or
SecurityKeyProvider offers more identities. The argument
to this keyword must be yes or no (the default). This
option is intended for situations where ssh-agent offers
many different identities.
ForwardAgent
Novaでのみサポートされます。
Specifies whether the connection to the authentication
agent (if any) will be forwarded to the remote machine.
The argument may be yes, no (the default), an explicit path
to an agent socket or the name of an environment variable
(beginning with ‘$’) in which to find the path.
Agent forwarding should be enabled with caution. Users
with the ability to bypass file permissions on the remote
host (for the agent's Unix-domain socket) can access the
local agent through the forwarded connection. An attacker
cannot obtain key material from the agent, however they can
perform operations on the keys that enable them to
authenticate using the identities loaded into the agent.
PKCS11Provider
完全にはサポートされておらず、Yubikeyを検出および認証するためのOpenSCおよびyubico-piv-toolでのみ機能します。
Specifies which PKCS#11 provider to use or none to indicate
that no provider should be used (the default). The argument to
this keyword is a path to the PKCS#11 shared library ssh(1)
should use to communicate with a PKCS#11 token providing keys
for user authentication.
Command documentation provided by OpenSSH under the OpenBSD license.