diff options
| author | Colin Watson <cjwatson@debian.org> | 2003-09-17 01:19:29 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2003-09-17 01:19:29 +0000 |
| commit | 9221adce6959801664fd4a340c19e6b69107ad0b (patch) | |
| tree | e8b7b5706043a4eb66e0e41aad2a7986cbedeb0f /ssh_config.0 | |
| parent | ade1cee573c0897cd08987dc14e23a555898cd12 (diff) | |
| parent | 22f9b945efa61bba12a4778b889df07cf851838a (diff) | |
Import OpenSSH 3.7.1p1.
Diffstat (limited to 'ssh_config.0')
| -rw-r--r-- | ssh_config.0 | 411 |
1 files changed, 411 insertions, 0 deletions
diff --git a/ssh_config.0 b/ssh_config.0 new file mode 100644 index 000000000..8c84502cb --- /dev/null +++ b/ssh_config.0 | |||
| @@ -0,0 +1,411 @@ | |||
| 1 | SSH_CONFIG(5) OpenBSD Programmer's Manual SSH_CONFIG(5) | ||
| 2 | |||
| 3 | NAME | ||
| 4 | ssh_config - OpenSSH SSH client configuration files | ||
| 5 | |||
| 6 | SYNOPSIS | ||
| 7 | $HOME/.ssh/config | ||
| 8 | /etc/ssh/ssh_config | ||
| 9 | |||
| 10 | DESCRIPTION | ||
| 11 | ssh obtains configuration data from the following sources in the follow- | ||
| 12 | ing order: | ||
| 13 | 1. command-line options | ||
| 14 | 2. user's configuration file ($HOME/.ssh/config) | ||
| 15 | 3. system-wide configuration file (/etc/ssh/ssh_config) | ||
| 16 | |||
| 17 | For each parameter, the first obtained value will be used. The configu- | ||
| 18 | ration files contain sections bracketed by ``Host'' specifications, and | ||
| 19 | that section is only applied for hosts that match one of the patterns | ||
| 20 | given in the specification. The matched host name is the one given on | ||
| 21 | the command line. | ||
| 22 | |||
| 23 | Since the first obtained value for each parameter is used, more host-spe- | ||
| 24 | cific declarations should be given near the beginning of the file, and | ||
| 25 | general defaults at the end. | ||
| 26 | |||
| 27 | The configuration file has the following format: | ||
| 28 | |||
| 29 | Empty lines and lines starting with `#' are comments. | ||
| 30 | |||
| 31 | Otherwise a line is of the format ``keyword arguments''. Configuration | ||
| 32 | options may be separated by whitespace or optional whitespace and exactly | ||
| 33 | one `='; the latter format is useful to avoid the need to quote whites- | ||
| 34 | pace when specifying configuration options using the ssh, scp and sftp -o | ||
| 35 | option. | ||
| 36 | |||
| 37 | The possible keywords and their meanings are as follows (note that key- | ||
| 38 | words are case-insensitive and arguments are case-sensitive): | ||
| 39 | |||
| 40 | Host Restricts the following declarations (up to the next Host key- | ||
| 41 | word) to be only for those hosts that match one of the patterns | ||
| 42 | given after the keyword. `*' and `?' can be used as wildcards in | ||
| 43 | the patterns. A single `*' as a pattern can be used to provide | ||
| 44 | global defaults for all hosts. The host is the hostname argument | ||
| 45 | given on the command line (i.e., the name is not converted to a | ||
| 46 | canonicalized host name before matching). | ||
| 47 | |||
| 48 | AddressFamily | ||
| 49 | Specifies which address family to use when connecting. Valid ar- | ||
| 50 | guments are ``any'', ``inet'' (Use IPv4 only) or ``inet6'' (Use | ||
| 51 | IPv6 only.) | ||
| 52 | |||
| 53 | BatchMode | ||
| 54 | If set to ``yes'', passphrase/password querying will be disabled. | ||
| 55 | This option is useful in scripts and other batch jobs where no | ||
| 56 | user is present to supply the password. The argument must be | ||
| 57 | ``yes'' or ``no''. The default is ``no''. | ||
| 58 | |||
| 59 | BindAddress | ||
| 60 | Specify the interface to transmit from on machines with multiple | ||
| 61 | interfaces or aliased addresses. Note that this option does not | ||
| 62 | work if UsePrivilegedPort is set to ``yes''. | ||
| 63 | |||
| 64 | ChallengeResponseAuthentication | ||
| 65 | Specifies whether to use challenge response authentication. The | ||
| 66 | argument to this keyword must be ``yes'' or ``no''. The default | ||
| 67 | is ``yes''. | ||
| 68 | |||
| 69 | CheckHostIP | ||
| 70 | If this flag is set to ``yes'', ssh will additionally check the | ||
| 71 | host IP address in the known_hosts file. This allows ssh to de- | ||
| 72 | tect if a host key changed due to DNS spoofing. If the option is | ||
| 73 | set to ``no'', the check will not be executed. The default is | ||
| 74 | ``yes''. | ||
| 75 | |||
| 76 | Cipher Specifies the cipher to use for encrypting the session in proto- | ||
| 77 | col version 1. Currently, ``blowfish'', ``3des'', and ``des'' | ||
| 78 | are supported. des is only supported in the ssh client for in- | ||
| 79 | teroperability with legacy protocol 1 implementations that do not | ||
| 80 | support the 3des cipher. Its use is strongly discouraged due to | ||
| 81 | cryptographic weaknesses. The default is ``3des''. | ||
| 82 | |||
| 83 | Ciphers | ||
| 84 | Specifies the ciphers allowed for protocol version 2 in order of | ||
| 85 | preference. Multiple ciphers must be comma-separated. The de- | ||
| 86 | fault is | ||
| 87 | |||
| 88 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, | ||
| 89 | aes192-cbc,aes256-cbc'' | ||
| 90 | |||
| 91 | ClearAllForwardings | ||
| 92 | Specifies that all local, remote and dynamic port forwardings | ||
| 93 | specified in the configuration files or on the command line be | ||
| 94 | cleared. This option is primarily useful when used from the ssh | ||
| 95 | command line to clear port forwardings set in configuration | ||
| 96 | files, and is automatically set by scp(1) and sftp(1). The argu- | ||
| 97 | ment must be ``yes'' or ``no''. The default is ``no''. | ||
| 98 | |||
| 99 | Compression | ||
| 100 | Specifies whether to use compression. The argument must be | ||
| 101 | ``yes'' or ``no''. The default is ``no''. | ||
| 102 | |||
| 103 | CompressionLevel | ||
| 104 | Specifies the compression level to use if compression is enabled. | ||
| 105 | The argument must be an integer from 1 (fast) to 9 (slow, best). | ||
| 106 | The default level is 6, which is good for most applications. The | ||
| 107 | meaning of the values is the same as in gzip(1). Note that this | ||
| 108 | option applies to protocol version 1 only. | ||
| 109 | |||
| 110 | ConnectionAttempts | ||
| 111 | Specifies the number of tries (one per second) to make before ex- | ||
| 112 | iting. The argument must be an integer. This may be useful in | ||
| 113 | scripts if the connection sometimes fails. The default is 1. | ||
| 114 | |||
| 115 | ConnectTimeout | ||
| 116 | Specifies the timeout (in seconds) used when connecting to the | ||
| 117 | ssh server, instead of using the default system TCP timeout. | ||
| 118 | This value is used only when the target is down or really un- | ||
| 119 | reachable, not when it refuses the connection. | ||
| 120 | |||
| 121 | DynamicForward | ||
| 122 | Specifies that a TCP/IP port on the local machine be forwarded | ||
| 123 | over the secure channel, and the application protocol is then | ||
| 124 | used to determine where to connect to from the remote machine. | ||
| 125 | The argument must be a port number. Currently the SOCKS4 and | ||
| 126 | SOCKS5 protocols are supported, and ssh will act as a SOCKS serv- | ||
| 127 | er. Multiple forwardings may be specified, and additional for- | ||
| 128 | wardings can be given on the command line. Only the superuser | ||
| 129 | can forward privileged ports. | ||
| 130 | |||
| 131 | EnableSSHKeysign | ||
| 132 | Setting this option to ``yes'' in the global client configuration | ||
| 133 | file /etc/ssh/ssh_config enables the use of the helper program | ||
| 134 | ssh-keysign(8) during HostbasedAuthentication. The argument must | ||
| 135 | be ``yes'' or ``no''. The default is ``no''. See ssh-keysign(8) | ||
| 136 | for more information. | ||
| 137 | |||
| 138 | EscapeChar | ||
| 139 | Sets the escape character (default: `~'). The escape character | ||
| 140 | can also be set on the command line. The argument should be a | ||
| 141 | single character, `^' followed by a letter, or ``none'' to dis- | ||
| 142 | able the escape character entirely (making the connection trans- | ||
| 143 | parent for binary data). | ||
| 144 | |||
| 145 | ForwardAgent | ||
| 146 | Specifies whether the connection to the authentication agent (if | ||
| 147 | any) will be forwarded to the remote machine. The argument must | ||
| 148 | be ``yes'' or ``no''. The default is ``no''. | ||
| 149 | |||
| 150 | Agent forwarding should be enabled with caution. Users with the | ||
| 151 | ability to bypass file permissions on the remote host (for the | ||
| 152 | agent's Unix-domain socket) can access the local agent through | ||
| 153 | the forwarded connection. An attacker cannot obtain key material | ||
| 154 | from the agent, however they can perform operations on the keys | ||
| 155 | that enable them to authenticate using the identities loaded into | ||
| 156 | the agent. | ||
| 157 | |||
| 158 | ForwardX11 | ||
| 159 | Specifies whether X11 connections will be automatically redirect- | ||
| 160 | ed over the secure channel and DISPLAY set. The argument must be | ||
| 161 | ``yes'' or ``no''. The default is ``no''. | ||
| 162 | |||
| 163 | X11 forwarding should be enabled with caution. Users with the | ||
| 164 | ability to bypass file permissions on the remote host (for the | ||
| 165 | user's X authorization database) can access the local X11 display | ||
| 166 | through the forwarded connection. An attacker may then be able | ||
| 167 | to perform activities such as keystroke monitoring. | ||
| 168 | |||
| 169 | GatewayPorts | ||
| 170 | Specifies whether remote hosts are allowed to connect to local | ||
| 171 | forwarded ports. By default, ssh binds local port forwardings to | ||
| 172 | the loopback address. This prevents other remote hosts from con- | ||
| 173 | necting to forwarded ports. GatewayPorts can be used to specify | ||
| 174 | that ssh should bind local port forwardings to the wildcard ad- | ||
| 175 | dress, thus allowing remote hosts to connect to forwarded ports. | ||
| 176 | The argument must be ``yes'' or ``no''. The default is ``no''. | ||
| 177 | |||
| 178 | GlobalKnownHostsFile | ||
| 179 | Specifies a file to use for the global host key database instead | ||
| 180 | of /etc/ssh/ssh_known_hosts. | ||
| 181 | |||
| 182 | GSSAPIAuthentication | ||
| 183 | Specifies whether authentication based on GSSAPI may be used, ei- | ||
| 184 | ther using the result of a successful key exchange, or using GSS- | ||
| 185 | API user authentication. The default is ``yes''. Note that this | ||
| 186 | option applies to protocol version 2 only. | ||
| 187 | |||
| 188 | GSSAPIDelegateCredentials | ||
| 189 | Forward (delegate) credentials to the server. The default is | ||
| 190 | ``no''. Note that this option applies to protocol version 2 on- | ||
| 191 | ly. | ||
| 192 | |||
| 193 | HostbasedAuthentication | ||
| 194 | Specifies whether to try rhosts based authentication with public | ||
| 195 | key authentication. The argument must be ``yes'' or ``no''. The | ||
| 196 | default is ``no''. This option applies to protocol version 2 on- | ||
| 197 | ly and is similar to RhostsRSAAuthentication. | ||
| 198 | |||
| 199 | HostKeyAlgorithms | ||
| 200 | Specifies the protocol version 2 host key algorithms that the | ||
| 201 | client wants to use in order of preference. The default for this | ||
| 202 | option is: ``ssh-rsa,ssh-dss''. | ||
| 203 | |||
| 204 | HostKeyAlias | ||
| 205 | Specifies an alias that should be used instead of the real host | ||
| 206 | name when looking up or saving the host key in the host key | ||
| 207 | database files. This option is useful for tunneling ssh connec- | ||
| 208 | tions or for multiple servers running on a single host. | ||
| 209 | |||
| 210 | HostName | ||
| 211 | Specifies the real host name to log into. This can be used to | ||
| 212 | specify nicknames or abbreviations for hosts. Default is the | ||
| 213 | name given on the command line. Numeric IP addresses are also | ||
| 214 | permitted (both on the command line and in HostName specifica- | ||
| 215 | tions). | ||
| 216 | |||
| 217 | IdentityFile | ||
| 218 | Specifies a file from which the user's RSA or DSA authentication | ||
| 219 | identity is read. The default is $HOME/.ssh/identity for proto- | ||
| 220 | col version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for | ||
| 221 | protocol version 2. Additionally, any identities represented by | ||
| 222 | the authentication agent will be used for authentication. The | ||
| 223 | file name may use the tilde syntax to refer to a user's home di- | ||
| 224 | rectory. It is possible to have multiple identity files speci- | ||
| 225 | fied in configuration files; all these identities will be tried | ||
| 226 | in sequence. | ||
| 227 | |||
| 228 | KeepAlive | ||
| 229 | Specifies whether the system should send TCP keepalive messages | ||
| 230 | to the other side. If they are sent, death of the connection or | ||
| 231 | crash of one of the machines will be properly noticed. However, | ||
| 232 | this means that connections will die if the route is down tem- | ||
| 233 | porarily, and some people find it annoying. | ||
| 234 | |||
| 235 | The default is ``yes'' (to send keepalives), and the client will | ||
| 236 | notice if the network goes down or the remote host dies. This is | ||
| 237 | important in scripts, and many users want it too. | ||
| 238 | |||
| 239 | To disable keepalives, the value should be set to ``no''. | ||
| 240 | |||
| 241 | LocalForward | ||
| 242 | Specifies that a TCP/IP port on the local machine be forwarded | ||
| 243 | over the secure channel to the specified host and port from the | ||
| 244 | remote machine. The first argument must be a port number, and | ||
| 245 | the second must be host:port. IPv6 addresses can be specified | ||
| 246 | with an alternative syntax: host/port. Multiple forwardings may | ||
| 247 | be specified, and additional forwardings can be given on the com- | ||
| 248 | mand line. Only the superuser can forward privileged ports. | ||
| 249 | |||
| 250 | LogLevel | ||
| 251 | Gives the verbosity level that is used when logging messages from | ||
| 252 | ssh. The possible values are: QUIET, FATAL, ERROR, INFO, VER- | ||
| 253 | BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. | ||
| 254 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | ||
| 255 | higher levels of verbose output. | ||
| 256 | |||
| 257 | MACs Specifies the MAC (message authentication code) algorithms in or- | ||
| 258 | der of preference. The MAC algorithm is used in protocol version | ||
| 259 | 2 for data integrity protection. Multiple algorithms must be | ||
| 260 | comma-separated. The default is ``hmac-md5,hmac-sha1,hmac- | ||
| 261 | ripemd160,hmac-sha1-96,hmac-md5-96''. | ||
| 262 | |||
| 263 | NoHostAuthenticationForLocalhost | ||
| 264 | This option can be used if the home directory is shared across | ||
| 265 | machines. In this case localhost will refer to a different ma- | ||
| 266 | chine on each of the machines and the user will get many warnings | ||
| 267 | about changed host keys. However, this option disables host au- | ||
| 268 | thentication for localhost. The argument to this keyword must be | ||
| 269 | ``yes'' or ``no''. The default is to check the host key for lo- | ||
| 270 | calhost. | ||
| 271 | |||
| 272 | NumberOfPasswordPrompts | ||
| 273 | Specifies the number of password prompts before giving up. The | ||
| 274 | argument to this keyword must be an integer. Default is 3. | ||
| 275 | |||
| 276 | PasswordAuthentication | ||
| 277 | Specifies whether to use password authentication. The argument | ||
| 278 | to this keyword must be ``yes'' or ``no''. The default is | ||
| 279 | ``yes''. | ||
| 280 | |||
| 281 | Port Specifies the port number to connect on the remote host. Default | ||
| 282 | is 22. | ||
| 283 | |||
| 284 | PreferredAuthentications | ||
| 285 | Specifies the order in which the client should try protocol 2 au- | ||
| 286 | thentication methods. This allows a client to prefer one method | ||
| 287 | (e.g. keyboard-interactive) over another method (e.g. password) | ||
| 288 | The default for this option is: ``hostbased,publickey,keyboard- | ||
| 289 | interactive,password''. | ||
| 290 | |||
| 291 | Protocol | ||
| 292 | Specifies the protocol versions ssh should support in order of | ||
| 293 | preference. The possible values are ``1'' and ``2''. Multiple | ||
| 294 | versions must be comma-separated. The default is ``2,1''. This | ||
| 295 | means that ssh tries version 2 and falls back to version 1 if | ||
| 296 | version 2 is not available. | ||
| 297 | |||
| 298 | ProxyCommand | ||
| 299 | Specifies the command to use to connect to the server. The com- | ||
| 300 | mand string extends to the end of the line, and is executed with | ||
| 301 | /bin/sh. In the command string, `%h' will be substituted by the | ||
| 302 | host name to connect and `%p' by the port. The command can be | ||
| 303 | basically anything, and should read from its standard input and | ||
| 304 | write to its standard output. It should eventually connect an | ||
| 305 | sshd(8) server running on some machine, or execute sshd -i some- | ||
| 306 | where. Host key management will be done using the HostName of | ||
| 307 | the host being connected (defaulting to the name typed by the us- | ||
| 308 | er). Setting the command to ``none'' disables this option en- | ||
| 309 | tirely. Note that CheckHostIP is not available for connects with | ||
| 310 | a proxy command. | ||
| 311 | |||
| 312 | PubkeyAuthentication | ||
| 313 | Specifies whether to try public key authentication. The argument | ||
| 314 | to this keyword must be ``yes'' or ``no''. The default is | ||
| 315 | ``yes''. This option applies to protocol version 2 only. | ||
| 316 | |||
| 317 | RemoteForward | ||
| 318 | Specifies that a TCP/IP port on the remote machine be forwarded | ||
| 319 | over the secure channel to the specified host and port from the | ||
| 320 | local machine. The first argument must be a port number, and the | ||
| 321 | second must be host:port. IPv6 addresses can be specified with | ||
| 322 | an alternative syntax: host/port. Multiple forwardings may be | ||
| 323 | specified, and additional forwardings can be given on the command | ||
| 324 | line. Only the superuser can forward privileged ports. | ||
| 325 | |||
| 326 | RhostsRSAAuthentication | ||
| 327 | Specifies whether to try rhosts based authentication with RSA | ||
| 328 | host authentication. The argument must be ``yes'' or ``no''. | ||
| 329 | The default is ``no''. This option applies to protocol version 1 | ||
| 330 | only and requires ssh to be setuid root. | ||
| 331 | |||
| 332 | RSAAuthentication | ||
| 333 | Specifies whether to try RSA authentication. The argument to | ||
| 334 | this keyword must be ``yes'' or ``no''. RSA authentication will | ||
| 335 | only be attempted if the identity file exists, or an authentica- | ||
| 336 | tion agent is running. The default is ``yes''. Note that this | ||
| 337 | option applies to protocol version 1 only. | ||
| 338 | |||
| 339 | SmartcardDevice | ||
| 340 | Specifies which smartcard device to use. The argument to this | ||
| 341 | keyword is the device ssh should use to communicate with a smart- | ||
| 342 | card used for storing the user's private RSA key. By default, no | ||
| 343 | device is specified and smartcard support is not activated. | ||
| 344 | |||
| 345 | StrictHostKeyChecking | ||
| 346 | If this flag is set to ``yes'', ssh will never automatically add | ||
| 347 | host keys to the $HOME/.ssh/known_hosts file, and refuses to con- | ||
| 348 | nect to hosts whose host key has changed. This provides maximum | ||
| 349 | protection against trojan horse attacks, however, can be annoying | ||
| 350 | when the /etc/ssh/ssh_known_hosts file is poorly maintained, or | ||
| 351 | connections to new hosts are frequently made. This option forces | ||
| 352 | the user to manually add all new hosts. If this flag is set to | ||
| 353 | ``no'', ssh will automatically add new host keys to the user | ||
| 354 | known hosts files. If this flag is set to ``ask'', new host keys | ||
| 355 | will be added to the user known host files only after the user | ||
| 356 | has confirmed that is what they really want to do, and ssh will | ||
| 357 | refuse to connect to hosts whose host key has changed. The host | ||
| 358 | keys of known hosts will be verified automatically in all cases. | ||
| 359 | The argument must be ``yes'', ``no'' or ``ask''. The default is | ||
| 360 | ``ask''. | ||
| 361 | |||
| 362 | UsePrivilegedPort | ||
| 363 | Specifies whether to use a privileged port for outgoing connec- | ||
| 364 | tions. The argument must be ``yes'' or ``no''. The default is | ||
| 365 | ``no''. If set to ``yes'' ssh must be setuid root. Note that | ||
| 366 | this option must be set to ``yes'' for RhostsRSAAuthentication | ||
| 367 | with older servers. | ||
| 368 | |||
| 369 | User Specifies the user to log in as. This can be useful when a dif- | ||
| 370 | ferent user name is used on different machines. This saves the | ||
| 371 | trouble of having to remember to give the user name on the com- | ||
| 372 | mand line. | ||
| 373 | |||
| 374 | UserKnownHostsFile | ||
| 375 | Specifies a file to use for the user host key database instead of | ||
| 376 | $HOME/.ssh/known_hosts. | ||
| 377 | |||
| 378 | VerifyHostKeyDNS | ||
| 379 | Specifies whether to verify the remote key using DNS and SSHFP | ||
| 380 | resource records. The default is ``no''. Note that this option | ||
| 381 | applies to protocol version 2 only. | ||
| 382 | |||
| 383 | XAuthLocation | ||
| 384 | Specifies the full pathname of the xauth(1) program. The default | ||
| 385 | is /usr/X11R6/bin/xauth. | ||
| 386 | |||
| 387 | FILES | ||
| 388 | $HOME/.ssh/config | ||
| 389 | This is the per-user configuration file. The format of this file | ||
| 390 | is described above. This file is used by the ssh client. This | ||
| 391 | file does not usually contain any sensitive information, but the | ||
| 392 | recommended permissions are read/write for the user, and not ac- | ||
| 393 | cessible by others. | ||
| 394 | |||
| 395 | /etc/ssh/ssh_config | ||
| 396 | Systemwide configuration file. This file provides defaults for | ||
| 397 | those values that are not specified in the user's configuration | ||
| 398 | file, and for those users who do not have a configuration file. | ||
| 399 | This file must be world-readable. | ||
| 400 | |||
| 401 | SEE ALSO | ||
| 402 | ssh(1) | ||
| 403 | |||
| 404 | AUTHORS | ||
| 405 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | ||
| 406 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | ||
| 407 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- | ||
| 408 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | ||
| 409 | versions 1.5 and 2.0. | ||
| 410 | |||
| 411 | OpenBSD 3.4 September 25, 1999 7 | ||