summaryrefslogtreecommitdiff
path: root/ssh_config.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2005-09-14 11:27:01 +0000
committerColin Watson <cjwatson@debian.org>2005-09-14 11:27:01 +0000
commit16704d57999d987fb8d9ba53379841a79f016d67 (patch)
treeb7ecfbd5be83f191af382f3186c39ba1843ba7a1 /ssh_config.0
parentc8ab8ceacbe4dbdd7afea4e890d92e86282d050e (diff)
parenta55bd782aa819b7f5ae716de000f19f4f531850e (diff)
Import OpenSSH 4.2p1.
Diffstat (limited to 'ssh_config.0')
-rw-r--r--ssh_config.0554
1 files changed, 554 insertions, 0 deletions
diff --git a/ssh_config.0 b/ssh_config.0
new file mode 100644
index 000000000..a2706b69c
--- /dev/null
+++ b/ssh_config.0
@@ -0,0 +1,554 @@
1SSH_CONFIG(5) OpenBSD Programmer's Manual SSH_CONFIG(5)
2
3NAME
4 ssh_config - OpenSSH SSH client configuration files
5
6SYNOPSIS
7 ~/.ssh/config
8 /etc/ssh/ssh_config
9
10DESCRIPTION
11 ssh obtains configuration data from the following sources in the follow-
12 ing order:
13 1. command-line options
14 2. user's configuration file (~/.ssh/config)
15 3. system-wide configuration file (/etc/ssh/ssh_config)
16
17 For each parameter, the first obtained value will be used. The configu-
18 ration files contain sections separated by ``Host'' specifications, and
19 that section is only applied for hosts that match one of the patterns
20 given in the specification. The matched host name is the one given on
21 the command line.
22
23 Since the first obtained value for each parameter is used, more host-spe-
24 cific declarations should be given near the beginning of the file, and
25 general defaults at the end.
26
27 The configuration file has the following format:
28
29 Empty lines and lines starting with `#' are comments.
30
31 Otherwise a line is of the format ``keyword arguments''. Configuration
32 options may be separated by whitespace or optional whitespace and exactly
33 one `='; the latter format is useful to avoid the need to quote whites-
34 pace when specifying configuration options using the ssh, scp and sftp -o
35 option.
36
37 The possible keywords and their meanings are as follows (note that key-
38 words are case-insensitive and arguments are case-sensitive):
39
40 Host Restricts the following declarations (up to the next Host key-
41 word) to be only for those hosts that match one of the patterns
42 given after the keyword. `*' and `?' can be used as wildcards in
43 the patterns. A single `*' as a pattern can be used to provide
44 global defaults for all hosts. The host is the hostname argument
45 given on the command line (i.e., the name is not converted to a
46 canonicalized host name before matching).
47
48 AddressFamily
49 Specifies which address family to use when connecting. Valid ar-
50 guments are ``any'', ``inet'' (use IPv4 only) or ``inet6'' (use
51 IPv6 only).
52
53 BatchMode
54 If set to ``yes'', passphrase/password querying will be disabled.
55 This option is useful in scripts and other batch jobs where no
56 user is present to supply the password. The argument must be
57 ``yes'' or ``no''. The default is ``no''.
58
59 BindAddress
60 Use the specified address on the local machine as the source ad-
61 dress of the connection. Only useful on systems with more than
62 one address. Note that this option does not work if
63 UsePrivilegedPort is set to ``yes''.
64
65 ChallengeResponseAuthentication
66 Specifies whether to use challenge response authentication. The
67 argument to this keyword must be ``yes'' or ``no''. The default
68 is ``yes''.
69
70 CheckHostIP
71 If this flag is set to ``yes'', ssh will additionally check the
72 host IP address in the known_hosts file. This allows ssh to de-
73 tect if a host key changed due to DNS spoofing. If the option is
74 set to ``no'', the check will not be executed. The default is
75 ``yes''.
76
77 Cipher Specifies the cipher to use for encrypting the session in proto-
78 col version 1. Currently, ``blowfish'', ``3des'', and ``des''
79 are supported. des is only supported in the ssh client for in-
80 teroperability with legacy protocol 1 implementations that do not
81 support the 3des cipher. Its use is strongly discouraged due to
82 cryptographic weaknesses. The default is ``3des''.
83
84 Ciphers
85 Specifies the ciphers allowed for protocol version 2 in order of
86 preference. Multiple ciphers must be comma-separated. The sup-
87 ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'',
88 ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
89 ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'',
90 and ``cast128-cbc''. The default is
91
92 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
93 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
94 aes192-ctr,aes256-ctr''
95
96 ClearAllForwardings
97 Specifies that all local, remote and dynamic port forwardings
98 specified in the configuration files or on the command line be
99 cleared. This option is primarily useful when used from the ssh
100 command line to clear port forwardings set in configuration
101 files, and is automatically set by scp(1) and sftp(1). The argu-
102 ment must be ``yes'' or ``no''. The default is ``no''.
103
104 Compression
105 Specifies whether to use compression. The argument must be
106 ``yes'' or ``no''. The default is ``no''.
107
108 CompressionLevel
109 Specifies the compression level to use if compression is enabled.
110 The argument must be an integer from 1 (fast) to 9 (slow, best).
111 The default level is 6, which is good for most applications. The
112 meaning of the values is the same as in gzip(1). Note that this
113 option applies to protocol version 1 only.
114
115 ConnectionAttempts
116 Specifies the number of tries (one per second) to make before ex-
117 iting. The argument must be an integer. This may be useful in
118 scripts if the connection sometimes fails. The default is 1.
119
120 ConnectTimeout
121 Specifies the timeout (in seconds) used when connecting to the
122 ssh server, instead of using the default system TCP timeout.
123 This value is used only when the target is down or really un-
124 reachable, not when it refuses the connection.
125
126 ControlMaster
127 Enables the sharing of multiple sessions over a single network
128 connection. When set to ``yes'' ssh will listen for connections
129 on a control socket specified using the ControlPath argument.
130 Additional sessions can connect to this socket using the same
131 ControlPath with ControlMaster set to ``no'' (the default).
132 These sessions will reuse the master instance's network connec-
133 tion rather than initiating new ones. Setting this to ``ask''
134 will cause ssh to listen for control connections, but require
135 confirmation using the SSH_ASKPASS program before they are ac-
136 cepted (see ssh-add(1) for details). If the ControlPath can not
137 be opened, ssh will continue without connecting to a master in-
138 stance.
139
140 X11 and ssh-agent(1) forwarding is supported over these multi-
141 plexed connections, however the display and agent fowarded will
142 be the one belonging to the master connection i.e. it is not pos-
143 sible to forward multiple displays or agents.
144
145 Two additional options allow for opportunistic multiplexing: try
146 to use a master connection but fall back to creating a new one if
147 one does not already exist. These options are: ``auto'' and
148 ``autoask''. The latter requires confirmation like the ``ask''
149 option.
150
151 ControlPath
152 Specify the path to the control socket used for connection shar-
153 ing as described in the ControlMaster section above or the string
154 ``none'' to disable connection sharing. In the path, `%h' will
155 be substituted by the target host name, `%p' the port and `%r' by
156 the remote login username. It is recommended that any
157 ControlPath used for opportunistic connection sharing include all
158 three of these escape sequences. This ensures that shared con-
159 nections are uniquely identified.
160
161 DynamicForward
162 Specifies that a TCP/IP port on the local machine be forwarded
163 over the secure channel, and the application protocol is then
164 used to determine where to connect to from the remote machine.
165 The argument must be a port number. Currently the SOCKS4 and
166 SOCKS5 protocols are supported, and ssh will act as a SOCKS serv-
167 er. Multiple forwardings may be specified, and additional for-
168 wardings can be given on the command line. Only the superuser
169 can forward privileged ports.
170
171 EnableSSHKeysign
172 Setting this option to ``yes'' in the global client configuration
173 file /etc/ssh/ssh_config enables the use of the helper program
174 ssh-keysign(8) during HostbasedAuthentication. The argument must
175 be ``yes'' or ``no''. The default is ``no''. This option should
176 be placed in the non-hostspecific section. See ssh-keysign(8)
177 for more information.
178
179 EscapeChar
180 Sets the escape character (default: `~'). The escape character
181 can also be set on the command line. The argument should be a
182 single character, `^' followed by a letter, or ``none'' to dis-
183 able the escape character entirely (making the connection trans-
184 parent for binary data).
185
186 ForwardAgent
187 Specifies whether the connection to the authentication agent (if
188 any) will be forwarded to the remote machine. The argument must
189 be ``yes'' or ``no''. The default is ``no''.
190
191 Agent forwarding should be enabled with caution. Users with the
192 ability to bypass file permissions on the remote host (for the
193 agent's Unix-domain socket) can access the local agent through
194 the forwarded connection. An attacker cannot obtain key material
195 from the agent, however they can perform operations on the keys
196 that enable them to authenticate using the identities loaded into
197 the agent.
198
199 ForwardX11
200 Specifies whether X11 connections will be automatically redirect-
201 ed over the secure channel and DISPLAY set. The argument must be
202 ``yes'' or ``no''. The default is ``no''.
203
204 X11 forwarding should be enabled with caution. Users with the
205 ability to bypass file permissions on the remote host (for the
206 user's X11 authorization database) can access the local X11 dis-
207 play through the forwarded connection. An attacker may then be
208 able to perform activities such as keystroke monitoring if the
209 ForwardX11Trusted option is also enabled.
210
211 ForwardX11Trusted
212 If this option is set to ``yes'' then remote X11 clients will
213 have full access to the original X11 display.
214
215 If this option is set to ``no'' then remote X11 clients will be
216 considered untrusted and prevented from stealing or tampering
217 with data belonging to trusted X11 clients. Furthermore, the
218 xauth(1) token used for the session will be set to expire after
219 20 minutes. Remote clients will be refused access after this
220 time.
221
222 The default is ``no''.
223
224 See the X11 SECURITY extension specification for full details on
225 the restrictions imposed on untrusted clients.
226
227 GatewayPorts
228 Specifies whether remote hosts are allowed to connect to local
229 forwarded ports. By default, ssh binds local port forwardings to
230 the loopback address. This prevents other remote hosts from con-
231 necting to forwarded ports. GatewayPorts can be used to specify
232 that ssh should bind local port forwardings to the wildcard ad-
233 dress, thus allowing remote hosts to connect to forwarded ports.
234 The argument must be ``yes'' or ``no''. The default is ``no''.
235
236 GlobalKnownHostsFile
237 Specifies a file to use for the global host key database instead
238 of /etc/ssh/ssh_known_hosts.
239
240 GSSAPIAuthentication
241 Specifies whether user authentication based on GSSAPI is allowed.
242 The default is ``no''. Note that this option applies to protocol
243 version 2 only.
244
245 GSSAPIDelegateCredentials
246 Forward (delegate) credentials to the server. The default is
247 ``no''. Note that this option applies to protocol version 2 on-
248 ly.
249
250 HashKnownHosts
251 Indicates that ssh should hash host names and addresses when they
252 are added to ~/.ssh/known_hosts. These hashed names may be used
253 normally by ssh and sshd, but they do not reveal identifying in-
254 formation should the file's contents be disclosed. The default
255 is ``no''. Note that hashing of names and addresses will not be
256 retrospectively applied to existing known hosts files, but these
257 may be manually hashed using ssh-keygen(1).
258
259 HostbasedAuthentication
260 Specifies whether to try rhosts based authentication with public
261 key authentication. The argument must be ``yes'' or ``no''. The
262 default is ``no''. This option applies to protocol version 2 on-
263 ly and is similar to RhostsRSAAuthentication.
264
265 HostKeyAlgorithms
266 Specifies the protocol version 2 host key algorithms that the
267 client wants to use in order of preference. The default for this
268 option is: ``ssh-rsa,ssh-dss''.
269
270 HostKeyAlias
271 Specifies an alias that should be used instead of the real host
272 name when looking up or saving the host key in the host key
273 database files. This option is useful for tunneling ssh connec-
274 tions or for multiple servers running on a single host.
275
276 HostName
277 Specifies the real host name to log into. This can be used to
278 specify nicknames or abbreviations for hosts. Default is the
279 name given on the command line. Numeric IP addresses are also
280 permitted (both on the command line and in HostName specifica-
281 tions).
282
283 IdentityFile
284 Specifies a file from which the user's RSA or DSA authentication
285 identity is read. The default is ~/.ssh/identity for protocol
286 version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver-
287 sion 2. Additionally, any identities represented by the authen-
288 tication agent will be used for authentication. The file name
289 may use the tilde syntax to refer to a user's home directory. It
290 is possible to have multiple identity files specified in configu-
291 ration files; all these identities will be tried in sequence.
292
293 IdentitiesOnly
294 Specifies that ssh should only use the authentication identity
295 files configured in the ssh_config files, even if the ssh-agent
296 offers more identities. The argument to this keyword must be
297 ``yes'' or ``no''. This option is intented for situations where
298 ssh-agent offers many different identities. The default is
299 ``no''.
300
301 KbdInteractiveDevices
302 Specifies the list of methods to use in keyboard-interactive au-
303 thentication. Multiple method names must be comma-separated.
304 The default is to use the server specified list.
305
306 LocalForward
307 Specifies that a TCP/IP port on the local machine be forwarded
308 over the secure channel to the specified host and port from the
309 remote machine. The first argument must be [bind_address:]port
310 and the second argument must be host:hostport. IPv6 addresses
311 can be specified by enclosing addresses in square brackets or by
312 using an alternative syntax: [bind_address/]port and
313 host/hostport. Multiple forwardings may be specified, and addi-
314 tional forwardings can be given on the command line. Only the
315 superuser can forward privileged ports. By default, the local
316 port is bound in accordance with the GatewayPorts setting. How-
317 ever, an explicit bind_address may be used to bind the connection
318 to a specific address. The bind_address of ``localhost'' indi-
319 cates that the listening port be bound for local use only, while
320 an empty address or `*' indicates that the port should be avail-
321 able from all interfaces.
322
323 LogLevel
324 Gives the verbosity level that is used when logging messages from
325 ssh. The possible values are: QUIET, FATAL, ERROR, INFO, VER-
326 BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO.
327 DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
328 higher levels of verbose output.
329
330 MACs Specifies the MAC (message authentication code) algorithms in or-
331 der of preference. The MAC algorithm is used in protocol version
332 2 for data integrity protection. Multiple algorithms must be
333 comma-separated. The default is ``hmac-md5,hmac-sha1,hmac-
334 ripemd160,hmac-sha1-96,hmac-md5-96''.
335
336 NoHostAuthenticationForLocalhost
337 This option can be used if the home directory is shared across
338 machines. In this case localhost will refer to a different ma-
339 chine on each of the machines and the user will get many warnings
340 about changed host keys. However, this option disables host au-
341 thentication for localhost. The argument to this keyword must be
342 ``yes'' or ``no''. The default is to check the host key for lo-
343 calhost.
344
345 NumberOfPasswordPrompts
346 Specifies the number of password prompts before giving up. The
347 argument to this keyword must be an integer. Default is 3.
348
349 PasswordAuthentication
350 Specifies whether to use password authentication. The argument
351 to this keyword must be ``yes'' or ``no''. The default is
352 ``yes''.
353
354 Port Specifies the port number to connect on the remote host. Default
355 is 22.
356
357 PreferredAuthentications
358 Specifies the order in which the client should try protocol 2 au-
359 thentication methods. This allows a client to prefer one method
360 (e.g. keyboard-interactive) over another method (e.g. password)
361 The default for this option is: ``hostbased,publickey,keyboard-
362 interactive,password''.
363
364 Protocol
365 Specifies the protocol versions ssh should support in order of
366 preference. The possible values are ``1'' and ``2''. Multiple
367 versions must be comma-separated. The default is ``2,1''. This
368 means that ssh tries version 2 and falls back to version 1 if
369 version 2 is not available.
370
371 ProxyCommand
372 Specifies the command to use to connect to the server. The com-
373 mand string extends to the end of the line, and is executed with
374 /bin/sh. In the command string, `%h' will be substituted by the
375 host name to connect and `%p' by the port. The command can be
376 basically anything, and should read from its standard input and
377 write to its standard output. It should eventually connect an
378 sshd(8) server running on some machine, or execute sshd -i some-
379 where. Host key management will be done using the HostName of
380 the host being connected (defaulting to the name typed by the us-
381 er). Setting the command to ``none'' disables this option en-
382 tirely. Note that CheckHostIP is not available for connects with
383 a proxy command.
384
385 This directive is useful in conjunction with nc(1) and its proxy
386 support. For example, the following directive would connect via
387 an HTTP proxy at 192.0.2.0:
388
389 ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
390
391 PubkeyAuthentication
392 Specifies whether to try public key authentication. The argument
393 to this keyword must be ``yes'' or ``no''. The default is
394 ``yes''. This option applies to protocol version 2 only.
395
396 RemoteForward
397 Specifies that a TCP/IP port on the remote machine be forwarded
398 over the secure channel to the specified host and port from the
399 local machine. The first argument must be [bind_address:]port
400 and the second argument must be host:hostport. IPv6 addresses
401 can be specified by enclosing addresses in square brackets or by
402 using an alternative syntax: [bind_address/]port and
403 host/hostport. Multiple forwardings may be specified, and addi-
404 tional forwardings can be given on the command line. Only the
405 superuser can forward privileged ports.
406
407 If the bind_address is not specified, the default is to only bind
408 to loopback addresses. If the bind_address is `*' or an empty
409 string, then the forwarding is requested to listen on all inter-
410 faces. Specifying a remote bind_address will only succeed if the
411 server's GatewayPorts option is enabled (see sshd_config(5)).
412
413 RhostsRSAAuthentication
414 Specifies whether to try rhosts based authentication with RSA
415 host authentication. The argument must be ``yes'' or ``no''.
416 The default is ``no''. This option applies to protocol version 1
417 only and requires ssh to be setuid root.
418
419 RSAAuthentication
420 Specifies whether to try RSA authentication. The argument to
421 this keyword must be ``yes'' or ``no''. RSA authentication will
422 only be attempted if the identity file exists, or an authentica-
423 tion agent is running. The default is ``yes''. Note that this
424 option applies to protocol version 1 only.
425
426 SendEnv
427 Specifies what variables from the local environ(7) should be sent
428 to the server. Note that environment passing is only supported
429 for protocol 2, the server must also support it, and the server
430 must be configured to accept these environment variables. Refer
431 to AcceptEnv in sshd_config(5) for how to configure the server.
432 Variables are specified by name, which may contain the wildcard
433 characters `*' and `?'. Multiple environment variables may be
434 separated by whitespace or spread across multiple SendEnv direc-
435 tives. The default is not to send any environment variables.
436
437 ServerAliveInterval
438 Sets a timeout interval in seconds after which if no data has
439 been received from the server, ssh will send a message through
440 the encrypted channel to request a response from the server. The
441 default is 0, indicating that these messages will not be sent to
442 the server. This option applies to protocol version 2 only.
443
444 ServerAliveCountMax
445 Sets the number of server alive messages (see above) which may be
446 sent without ssh receiving any messages back from the server. If
447 this threshold is reached while server alive messages are being
448 sent, ssh will disconnect from the server, terminating the ses-
449 sion. It is important to note that the use of server alive mes-
450 sages is very different from TCPKeepAlive (below). The server
451 alive messages are sent through the encrypted channel and there-
452 fore will not be spoofable. The TCP keepalive option enabled by
453 TCPKeepAlive is spoofable. The server alive mechanism is valu-
454 able when the client or server depend on knowing when a connec-
455 tion has become inactive.
456
457 The default value is 3. If, for example, ServerAliveInterval
458 (above) is set to 15, and ServerAliveCountMax is left at the de-
459 fault, if the server becomes unresponsive ssh will disconnect af-
460 ter approximately 45 seconds.
461
462 SmartcardDevice
463 Specifies which smartcard device to use. The argument to this
464 keyword is the device ssh should use to communicate with a smart-
465 card used for storing the user's private RSA key. By default, no
466 device is specified and smartcard support is not activated.
467
468 StrictHostKeyChecking
469 If this flag is set to ``yes'', ssh will never automatically add
470 host keys to the ~/.ssh/known_hosts file, and refuses to connect
471 to hosts whose host key has changed. This provides maximum pro-
472 tection against trojan horse attacks, however, can be annoying
473 when the /etc/ssh/ssh_known_hosts file is poorly maintained, or
474 connections to new hosts are frequently made. This option forces
475 the user to manually add all new hosts. If this flag is set to
476 ``no'', ssh will automatically add new host keys to the user
477 known hosts files. If this flag is set to ``ask'', new host keys
478 will be added to the user known host files only after the user
479 has confirmed that is what they really want to do, and ssh will
480 refuse to connect to hosts whose host key has changed. The host
481 keys of known hosts will be verified automatically in all cases.
482 The argument must be ``yes'', ``no'' or ``ask''. The default is
483 ``ask''.
484
485 TCPKeepAlive
486 Specifies whether the system should send TCP keepalive messages
487 to the other side. If they are sent, death of the connection or
488 crash of one of the machines will be properly noticed. However,
489 this means that connections will die if the route is down tem-
490 porarily, and some people find it annoying.
491
492 The default is ``yes'' (to send TCP keepalive messages), and the
493 client will notice if the network goes down or the remote host
494 dies. This is important in scripts, and many users want it too.
495
496 To disable TCP keepalive messages, the value should be set to
497 ``no''.
498
499 UsePrivilegedPort
500 Specifies whether to use a privileged port for outgoing connec-
501 tions. The argument must be ``yes'' or ``no''. The default is
502 ``no''. If set to ``yes'' ssh must be setuid root. Note that
503 this option must be set to ``yes'' for RhostsRSAAuthentication
504 with older servers.
505
506 User Specifies the user to log in as. This can be useful when a dif-
507 ferent user name is used on different machines. This saves the
508 trouble of having to remember to give the user name on the com-
509 mand line.
510
511 UserKnownHostsFile
512 Specifies a file to use for the user host key database instead of
513 ~/.ssh/known_hosts.
514
515 VerifyHostKeyDNS
516 Specifies whether to verify the remote key using DNS and SSHFP
517 resource records. If this option is set to ``yes'', the client
518 will implicitly trust keys that match a secure fingerprint from
519 DNS. Insecure fingerprints will be handled as if this option was
520 set to ``ask''. If this option is set to ``ask'', information on
521 fingerprint match will be displayed, but the user will still need
522 to confirm new host keys according to the StrictHostKeyChecking
523 option. The argument must be ``yes'', ``no'' or ``ask''. The
524 default is ``no''. Note that this option applies to protocol
525 version 2 only.
526
527 XAuthLocation
528 Specifies the full pathname of the xauth(1) program. The default
529 is /usr/X11R6/bin/xauth.
530
531FILES
532 ~/.ssh/config
533 This is the per-user configuration file. The format of this file
534 is described above. This file is used by the ssh client. Be-
535 cause of the potential for abuse, this file must have strict per-
536 missions: read/write for the user, and not accessible by others.
537
538 /etc/ssh/ssh_config
539 Systemwide configuration file. This file provides defaults for
540 those values that are not specified in the user's configuration
541 file, and for those users who do not have a configuration file.
542 This file must be world-readable.
543
544SEE ALSO
545 ssh(1)
546
547AUTHORS
548 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
549 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
550 de Raadt and Dug Song removed many bugs, re-added newer features and cre-
551 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
552 versions 1.5 and 2.0.
553
554OpenBSD 3.8 September 25, 1999 9
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-01 10:49:51 +0000