summaryrefslogtreecommitdiff
path: root/ssh_config.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2003-09-01 00:45:47 +0000
committerColin Watson <cjwatson@debian.org>2003-09-01 00:45:47 +0000
commitd984a3c6658e950881edcfb2aae464add93f68d4 (patch)
treeed2052b4001227cf8179393cba172ae470e6c097 /ssh_config.0
parent3e36f9f4fff8f5b573f163eecd12a677ce66fe89 (diff)
Import OpenSSH 3.4p1.
Diffstat (limited to 'ssh_config.0')
-rw-r--r--ssh_config.0386
1 files changed, 386 insertions, 0 deletions
diff --git a/ssh_config.0 b/ssh_config.0
new file mode 100644
index 000000000..9822ce8d2
--- /dev/null
+++ b/ssh_config.0
@@ -0,0 +1,386 @@
1SSH_CONFIG(5) System File Formats Manual SSH_CONFIG(5)
2
3NAME
4 ssh_config - OpenSSH SSH client configuration files
5
6SYNOPSIS
7 $HOME/.ssh/config
8 /etc/ssh/ssh_config
9
10DESCRIPTION
11 ssh obtains configuration data from the following sources in the followM--
12 ing order: command line options, user's configuration file
13 ($HOME/.ssh/config), and system-wide configuration file
14 (/etc/ssh/ssh_config).
15
16 For each parameter, the first obtained value will be used. The configuM--
17 ration files contain sections bracketed by ``Host'' specifications, and
18 that section is only applied for hosts that match one of the patterns
19 given in the specification. The matched host name is the one given on
20 the command line.
21
22 Since the first obtained value for each parameter is used, more host-speM--
23 cific declarations should be given near the beginning of the file, and
24 general defaults at the end.
25
26 The configuration file has the following format:
27
28 Empty lines and lines starting with `#' are comments.
29
30 Otherwise a line is of the format ``keyword arguments''. Configuration
31 options may be separated by whitespace or optional whitespace and exactly
32 one `='; the latter format is useful to avoid the need to quote whitesM--
33 pace when specifying configuration options using the ssh, scp and sftp -o
34 option.
35
36 The possible keywords and their meanings are as follows (note that keyM--
37 words are case-insensitive and arguments are case-sensitive):
38
39 Host Restricts the following declarations (up to the next Host keyM--
40 word) to be only for those hosts that match one of the patterns
41 given after the keyword. `*' and `'? can be used as wildcards
42 in the patterns. A single `*' as a pattern can be used to proM--
43 vide global defaults for all hosts. The host is the hostname
44 argument given on the command line (i.e., the name is not conM--
45 verted to a canonicalized host name before matching).
46
47 AFSTokenPassing
48 Specifies whether to pass AFS tokens to remote host. The arguM--
49 ment to this keyword must be ``yes'' or ``no''. This option
50 applies to protocol version 1 only.
51
52 BatchMode
53 If set to ``yes'', passphrase/password querying will be disabled.
54 This option is useful in scripts and other batch jobs where no
55 user is present to supply the password. The argument must be
56 ``yes'' or ``no''. The default is ``no''.
57
58 BindAddress
59 Specify the interface to transmit from on machines with multiple
60 interfaces or aliased addresses. Note that this option does not
61 work if UsePrivilegedPort is set to ``yes''.
62
63 ChallengeResponseAuthentication
64 Specifies whether to use challenge response authentication. The
65 argument to this keyword must be ``yes'' or ``no''. The default
66 is ``yes''.
67
68 CheckHostIP
69 If this flag is set to ``yes'', ssh will additionally check the
70 host IP address in the known_hosts file. This allows ssh to
71 detect if a host key changed due to DNS spoofing. If the option
72 is set to ``no'', the check will not be executed. The default is
73 ``yes''.
74
75 Cipher Specifies the cipher to use for encrypting the session in protoM--
76 col version 1. Currently, ``blowfish'', ``3des'', and ``des''
77 are supported. des is only supported in the ssh client for
78 interoperability with legacy protocol 1 implementations that do
79 not support the 3des cipher. Its use is strongly discouraged due
80 to cryptographic weaknesses. The default is ``3des''.
81
82 Ciphers
83 Specifies the ciphers allowed for protocol version 2 in order of
84 preference. Multiple ciphers must be comma-separated. The
85 default is
86
87 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
88 aes192-cbc,aes256-cbc''
89
90 ClearAllForwardings
91 Specifies that all local, remote and dynamic port forwardings
92 specified in the configuration files or on the command line be
93 cleared. This option is primarily useful when used from the ssh
94 command line to clear port forwardings set in configuration
95 files, and is automatically set by scp(1) and sftp(1). The arguM--
96 ment must be ``yes'' or ``no''. The default is ``no''.
97
98 Compression
99 Specifies whether to use compression. The argument must be
100 ``yes'' or ``no''. The default is ``no''.
101
102 CompressionLevel
103 Specifies the compression level to use if compression is enabled.
104 The argument must be an integer from 1 (fast) to 9 (slow, best).
105 The default level is 6, which is good for most applications. The
106 meaning of the values is the same as in gzip(1). Note that this
107 option applies to protocol version 1 only.
108
109 ConnectionAttempts
110 Specifies the number of tries (one per second) to make before
111 exiting. The argument must be an integer. This may be useful in
112 scripts if the connection sometimes fails. The default is 1.
113
114 DynamicForward
115 Specifies that a TCP/IP port on the local machine be forwarded
116 over the secure channel, and the application protocol is then
117 used to determine where to connect to from the remote machine.
118 The argument must be a port number. Currently the SOCKS4 protoM--
119 col is supported, and ssh will act as a SOCKS4 server. Multiple
120 forwardings may be specified, and additional forwardings can be
121 given on the command line. Only the superuser can forward priviM--
122 leged ports.
123
124 EscapeChar
125 Sets the escape character (default: `~'). The escape character
126 can also be set on the command line. The argument should be a
127 single character, `^' followed by a letter, or ``none'' to disM--
128 able the escape character entirely (making the connection transM--
129 parent for binary data).
130
131 ForwardAgent
132 Specifies whether the connection to the authentication agent (if
133 any) will be forwarded to the remote machine. The argument must
134 be ``yes'' or ``no''. The default is ``no''.
135
136 ForwardX11
137 Specifies whether X11 connections will be automatically rediM--
138 rected over the secure channel and DISPLAY set. The argument
139 must be ``yes'' or ``no''. The default is ``no''.
140
141 GatewayPorts
142 Specifies whether remote hosts are allowed to connect to local
143 forwarded ports. By default, ssh binds local port forwardings to
144 the loopback address. This prevents other remote hosts from conM--
145 necting to forwarded ports. GatewayPorts can be used to specify
146 that ssh should bind local port forwardings to the wildcard
147 address, thus allowing remote hosts to connect to forwarded
148 ports. The argument must be ``yes'' or ``no''. The default is
149 ``no''.
150
151 GlobalKnownHostsFile
152 Specifies a file to use for the global host key database instead
153 of /etc/ssh/ssh_known_hosts.
154
155 HostbasedAuthentication
156 Specifies whether to try rhosts based authentication with public
157 key authentication. The argument must be ``yes'' or ``no''. The
158 default is ``no''. This option applies to protocol version 2
159 only and is similar to RhostsRSAAuthentication.
160
161 HostKeyAlgorithms
162 Specifies the protocol version 2 host key algorithms that the
163 client wants to use in order of preference. The default for this
164 option is: ``ssh-rsa,ssh-dss''.
165
166 HostKeyAlias
167 Specifies an alias that should be used instead of the real host
168 name when looking up or saving the host key in the host key
169 database files. This option is useful for tunneling ssh connecM--
170 tions or for multiple servers running on a single host.
171
172 HostName
173 Specifies the real host name to log into. This can be used to
174 specify nicknames or abbreviations for hosts. Default is the
175 name given on the command line. Numeric IP addresses are also
176 permitted (both on the command line and in HostName specificaM--
177 tions).
178
179 IdentityFile
180 Specifies a file from which the user's RSA or DSA authentication
181 identity is read. The default is $HOME/.ssh/identity for protocol
182 version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for protoM--
183 col version 2. Additionally, any identities represented by the
184 authentication agent will be used for authentication. The file
185 name may use the tilde syntax to refer to a user's home direcM--
186 tory. It is possible to have multiple identity files specified
187 in configuration files; all these identities will be tried in
188 sequence.
189
190 KeepAlive
191 Specifies whether the system should send TCP keepalive messages
192 to the other side. If they are sent, death of the connection or
193 crash of one of the machines will be properly noticed. However,
194 this means that connections will die if the route is down temM--
195 porarily, and some people find it annoying.
196
197 The default is ``yes'' (to send keepalives), and the client will
198 notice if the network goes down or the remote host dies. This is
199 important in scripts, and many users want it too.
200
201 To disable keepalives, the value should be set to ``no''.
202
203 KerberosAuthentication
204 Specifies whether Kerberos authentication will be used. The
205 argument to this keyword must be ``yes'' or ``no''.
206
207 KerberosTgtPassing
208 Specifies whether a Kerberos TGT will be forwarded to the server.
209 This will only work if the Kerberos server is actually an AFS
210 kaserver. The argument to this keyword must be ``yes'' or
211 ``no''.
212
213 LocalForward
214 Specifies that a TCP/IP port on the local machine be forwarded
215 over the secure channel to the specified host and port from the
216 remote machine. The first argument must be a port number, and
217 the second must be host:port. IPv6 addresses can be specified
218 with an alternative syntax: host/port. Multiple forwardings may
219 be specified, and additional forwardings can be given on the comM--
220 mand line. Only the superuser can forward privileged ports.
221
222 LogLevel
223 Gives the verbosity level that is used when logging messages from
224 ssh. The possible values are: QUIET, FATAL, ERROR, INFO, VERM--
225 BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO.
226 DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
227 higher levels of verbose output.
228
229 MACs Specifies the MAC (message authentication code) algorithms in
230 order of preference. The MAC algorithm is used in protocol verM--
231 sion 2 for data integrity protection. Multiple algorithms must
232 be comma-separated. The default is
233 ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''.
234
235 NoHostAuthenticationForLocalhost
236 This option can be used if the home directory is shared across
237 machines. In this case localhost will refer to a different
238 machine on each of the machines and the user will get many warnM--
239 ings about changed host keys. However, this option disables host
240 authentication for localhost. The argument to this keyword must
241 be ``yes'' or ``no''. The default is to check the host key for
242 localhost.
243
244 NumberOfPasswordPrompts
245 Specifies the number of password prompts before giving up. The
246 argument to this keyword must be an integer. Default is 3.
247
248 PasswordAuthentication
249 Specifies whether to use password authentication. The argument
250 to this keyword must be ``yes'' or ``no''. The default is
251 ``yes''.
252
253 Port Specifies the port number to connect on the remote host. Default
254 is 22.
255
256 PreferredAuthentications
257 Specifies the order in which the client should try protocol 2
258 authentication methods. This allows a client to prefer one method
259 (e.g. keyboard-interactive) over another method (e.g. password)
260 The default for this option is:
261 ``hostbased,publickey,keyboard-interactive,password''.
262
263 Protocol
264 Specifies the protocol versions ssh should support in order of
265 preference. The possible values are ``1'' and ``2''. Multiple
266 versions must be comma-separated. The default is ``2,1''. This
267 means that ssh tries version 2 and falls back to version 1 if
268 version 2 is not available.
269
270 ProxyCommand
271 Specifies the command to use to connect to the server. The comM--
272 mand string extends to the end of the line, and is executed with
273 /bin/sh. In the command string, `%h' will be substituted by the
274 host name to connect and `%p' by the port. The command can be
275 basically anything, and should read from its standard input and
276 write to its standard output. It should eventually connect an
277 sshd(8) server running on some machine, or execute sshd -i someM--
278 where. Host key management will be done using the HostName of
279 the host being connected (defaulting to the name typed by the
280 user). Note that CheckHostIP is not available for connects with
281 a proxy command.
282
283 PubkeyAuthentication
284 Specifies whether to try public key authentication. The argument
285 to this keyword must be ``yes'' or ``no''. The default is
286 ``yes''. This option applies to protocol version 2 only.
287
288 RemoteForward
289 Specifies that a TCP/IP port on the remote machine be forwarded
290 over the secure channel to the specified host and port from the
291 local machine. The first argument must be a port number, and the
292 second must be host:port. IPv6 addresses can be specified with
293 an alternative syntax: host/port. Multiple forwardings may be
294 specified, and additional forwardings can be given on the command
295 line. Only the superuser can forward privileged ports.
296
297 RhostsAuthentication
298 Specifies whether to try rhosts based authentication. Note that
299 this declaration only affects the client side and has no effect
300 whatsoever on security. Most servers do not permit RhostsAuthenM--
301 tication because it is not secure (see RhostsRSAAuthentication).
302 The argument to this keyword must be ``yes'' or ``no''. The
303 default is ``no''. This option applies to protocol version 1
304 only.
305
306 RhostsRSAAuthentication
307 Specifies whether to try rhosts based authentication with RSA
308 host authentication. The argument must be ``yes'' or ``no''.
309 The default is ``no''. This option applies to protocol version 1
310 only and requires ssh to be setuid root.
311
312 RSAAuthentication
313 Specifies whether to try RSA authentication. The argument to
314 this keyword must be ``yes'' or ``no''. RSA authentication will
315 only be attempted if the identity file exists, or an authenticaM--
316 tion agent is running. The default is ``yes''. Note that this
317 option applies to protocol version 1 only.
318
319 SmartcardDevice
320 Specifies which smartcard device to use. The argument to this
321 keyword is the device ssh should use to communicate with a smartM--
322 card used for storing the user's private RSA key. By default, no
323 device is specified and smartcard support is not activated.
324
325 StrictHostKeyChecking
326 If this flag is set to ``yes'', ssh will never automatically add
327 host keys to the $HOME/.ssh/known_hosts file, and refuses to conM--
328 nect to hosts whose host key has changed. This provides maximum
329 protection against trojan horse attacks, however, can be annoying
330 when the /etc/ssh/ssh_known_hosts file is poorly maintained, or
331 connections to new hosts are frequently made. This option forces
332 the user to manually add all new hosts. If this flag is set to
333 ``no'', ssh will automatically add new host keys to the user
334 known hosts files. If this flag is set to ``ask'', new host keys
335 will be added to the user known host files only after the user
336 has confirmed that is what they really want to do, and ssh will
337 refuse to connect to hosts whose host key has changed. The host
338 keys of known hosts will be verified automatically in all cases.
339 The argument must be ``yes'', ``no'' or ``ask''. The default is
340 ``ask''.
341
342 UsePrivilegedPort
343 Specifies whether to use a privileged port for outgoing connecM--
344 tions. The argument must be ``yes'' or ``no''. The default is
345 ``no''. Note that this option must be set to ``yes'' if
346 RhostsAuthentication and RhostsRSAAuthentication authentications
347 are needed with older servers.
348
349 User Specifies the user to log in as. This can be useful when a difM--
350 ferent user name is used on different machines. This saves the
351 trouble of having to remember to give the user name on the comM--
352 mand line.
353
354 UserKnownHostsFile
355 Specifies a file to use for the user host key database instead of
356 $HOME/.ssh/known_hosts.
357
358 XAuthLocation
359 Specifies the location of the xauth(1) program. The default is
360 /usr/X11R6/bin/xauth.
361
362FILES
363 $HOME/.ssh/config
364 This is the per-user configuration file. The format of this file
365 is described above. This file is used by the ssh client. This
366 file does not usually contain any sensitive information, but the
367 recommended permissions are read/write for the user, and not
368 accessible by others.
369
370 /etc/ssh/ssh_config
371 Systemwide configuration file. This file provides defaults for
372 those values that are not specified in the user's configuration
373 file, and for those users who do not have a configuration file.
374 This file must be world-readable.
375
376AUTHORS
377 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
378 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
379 de Raadt and Dug Song removed many bugs, re-added newer features and creM--
380 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
381 versions 1.5 and 2.0.
382
383SEE ALSO
384 ssh(1)
385
386BSD September 25, 1999 BSD
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-14 15:54:39 +0000