diff options
author | Colin Watson <cjwatson@debian.org> | 2003-09-01 00:45:47 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2003-09-01 00:45:47 +0000 |
commit | d984a3c6658e950881edcfb2aae464add93f68d4 (patch) | |
tree | ed2052b4001227cf8179393cba172ae470e6c097 /ssh_config.0 | |
parent | 3e36f9f4fff8f5b573f163eecd12a677ce66fe89 (diff) |
Import OpenSSH 3.4p1.
Diffstat (limited to 'ssh_config.0')
-rw-r--r-- | ssh_config.0 | 386 |
1 files changed, 386 insertions, 0 deletions
diff --git a/ssh_config.0 b/ssh_config.0 new file mode 100644 index 000000000..9822ce8d2 --- /dev/null +++ b/ssh_config.0 | |||
@@ -0,0 +1,386 @@ | |||
1 | SSH_CONFIG(5) System File Formats Manual SSH_CONFIG(5) | ||
2 | |||
3 | NAME | ||
4 | ssh_config - OpenSSH SSH client configuration files | ||
5 | |||
6 | SYNOPSIS | ||
7 | $HOME/.ssh/config | ||
8 | /etc/ssh/ssh_config | ||
9 | |||
10 | DESCRIPTION | ||
11 | ssh obtains configuration data from the following sources in the followM-- | ||
12 | ing order: command line options, user's configuration file | ||
13 | ($HOME/.ssh/config), and system-wide configuration file | ||
14 | (/etc/ssh/ssh_config). | ||
15 | |||
16 | For each parameter, the first obtained value will be used. The configuM-- | ||
17 | ration files contain sections bracketed by ``Host'' specifications, and | ||
18 | that section is only applied for hosts that match one of the patterns | ||
19 | given in the specification. The matched host name is the one given on | ||
20 | the command line. | ||
21 | |||
22 | Since the first obtained value for each parameter is used, more host-speM-- | ||
23 | cific declarations should be given near the beginning of the file, and | ||
24 | general defaults at the end. | ||
25 | |||
26 | The configuration file has the following format: | ||
27 | |||
28 | Empty lines and lines starting with `#' are comments. | ||
29 | |||
30 | Otherwise a line is of the format ``keyword arguments''. Configuration | ||
31 | options may be separated by whitespace or optional whitespace and exactly | ||
32 | one `='; the latter format is useful to avoid the need to quote whitesM-- | ||
33 | pace when specifying configuration options using the ssh, scp and sftp -o | ||
34 | option. | ||
35 | |||
36 | The possible keywords and their meanings are as follows (note that keyM-- | ||
37 | words are case-insensitive and arguments are case-sensitive): | ||
38 | |||
39 | Host Restricts the following declarations (up to the next Host keyM-- | ||
40 | word) to be only for those hosts that match one of the patterns | ||
41 | given after the keyword. `*' and `'? can be used as wildcards | ||
42 | in the patterns. A single `*' as a pattern can be used to proM-- | ||
43 | vide global defaults for all hosts. The host is the hostname | ||
44 | argument given on the command line (i.e., the name is not conM-- | ||
45 | verted to a canonicalized host name before matching). | ||
46 | |||
47 | AFSTokenPassing | ||
48 | Specifies whether to pass AFS tokens to remote host. The arguM-- | ||
49 | ment to this keyword must be ``yes'' or ``no''. This option | ||
50 | applies to protocol version 1 only. | ||
51 | |||
52 | BatchMode | ||
53 | If set to ``yes'', passphrase/password querying will be disabled. | ||
54 | This option is useful in scripts and other batch jobs where no | ||
55 | user is present to supply the password. The argument must be | ||
56 | ``yes'' or ``no''. The default is ``no''. | ||
57 | |||
58 | BindAddress | ||
59 | Specify the interface to transmit from on machines with multiple | ||
60 | interfaces or aliased addresses. Note that this option does not | ||
61 | work if UsePrivilegedPort is set to ``yes''. | ||
62 | |||
63 | ChallengeResponseAuthentication | ||
64 | Specifies whether to use challenge response authentication. The | ||
65 | argument to this keyword must be ``yes'' or ``no''. The default | ||
66 | is ``yes''. | ||
67 | |||
68 | CheckHostIP | ||
69 | If this flag is set to ``yes'', ssh will additionally check the | ||
70 | host IP address in the known_hosts file. This allows ssh to | ||
71 | detect if a host key changed due to DNS spoofing. If the option | ||
72 | is set to ``no'', the check will not be executed. The default is | ||
73 | ``yes''. | ||
74 | |||
75 | Cipher Specifies the cipher to use for encrypting the session in protoM-- | ||
76 | col version 1. Currently, ``blowfish'', ``3des'', and ``des'' | ||
77 | are supported. des is only supported in the ssh client for | ||
78 | interoperability with legacy protocol 1 implementations that do | ||
79 | not support the 3des cipher. Its use is strongly discouraged due | ||
80 | to cryptographic weaknesses. The default is ``3des''. | ||
81 | |||
82 | Ciphers | ||
83 | Specifies the ciphers allowed for protocol version 2 in order of | ||
84 | preference. Multiple ciphers must be comma-separated. The | ||
85 | default is | ||
86 | |||
87 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, | ||
88 | aes192-cbc,aes256-cbc'' | ||
89 | |||
90 | ClearAllForwardings | ||
91 | Specifies that all local, remote and dynamic port forwardings | ||
92 | specified in the configuration files or on the command line be | ||
93 | cleared. This option is primarily useful when used from the ssh | ||
94 | command line to clear port forwardings set in configuration | ||
95 | files, and is automatically set by scp(1) and sftp(1). The arguM-- | ||
96 | ment must be ``yes'' or ``no''. The default is ``no''. | ||
97 | |||
98 | Compression | ||
99 | Specifies whether to use compression. The argument must be | ||
100 | ``yes'' or ``no''. The default is ``no''. | ||
101 | |||
102 | CompressionLevel | ||
103 | Specifies the compression level to use if compression is enabled. | ||
104 | The argument must be an integer from 1 (fast) to 9 (slow, best). | ||
105 | The default level is 6, which is good for most applications. The | ||
106 | meaning of the values is the same as in gzip(1). Note that this | ||
107 | option applies to protocol version 1 only. | ||
108 | |||
109 | ConnectionAttempts | ||
110 | Specifies the number of tries (one per second) to make before | ||
111 | exiting. The argument must be an integer. This may be useful in | ||
112 | scripts if the connection sometimes fails. The default is 1. | ||
113 | |||
114 | DynamicForward | ||
115 | Specifies that a TCP/IP port on the local machine be forwarded | ||
116 | over the secure channel, and the application protocol is then | ||
117 | used to determine where to connect to from the remote machine. | ||
118 | The argument must be a port number. Currently the SOCKS4 protoM-- | ||
119 | col is supported, and ssh will act as a SOCKS4 server. Multiple | ||
120 | forwardings may be specified, and additional forwardings can be | ||
121 | given on the command line. Only the superuser can forward priviM-- | ||
122 | leged ports. | ||
123 | |||
124 | EscapeChar | ||
125 | Sets the escape character (default: `~'). The escape character | ||
126 | can also be set on the command line. The argument should be a | ||
127 | single character, `^' followed by a letter, or ``none'' to disM-- | ||
128 | able the escape character entirely (making the connection transM-- | ||
129 | parent for binary data). | ||
130 | |||
131 | ForwardAgent | ||
132 | Specifies whether the connection to the authentication agent (if | ||
133 | any) will be forwarded to the remote machine. The argument must | ||
134 | be ``yes'' or ``no''. The default is ``no''. | ||
135 | |||
136 | ForwardX11 | ||
137 | Specifies whether X11 connections will be automatically rediM-- | ||
138 | rected over the secure channel and DISPLAY set. The argument | ||
139 | must be ``yes'' or ``no''. The default is ``no''. | ||
140 | |||
141 | GatewayPorts | ||
142 | Specifies whether remote hosts are allowed to connect to local | ||
143 | forwarded ports. By default, ssh binds local port forwardings to | ||
144 | the loopback address. This prevents other remote hosts from conM-- | ||
145 | necting to forwarded ports. GatewayPorts can be used to specify | ||
146 | that ssh should bind local port forwardings to the wildcard | ||
147 | address, thus allowing remote hosts to connect to forwarded | ||
148 | ports. The argument must be ``yes'' or ``no''. The default is | ||
149 | ``no''. | ||
150 | |||
151 | GlobalKnownHostsFile | ||
152 | Specifies a file to use for the global host key database instead | ||
153 | of /etc/ssh/ssh_known_hosts. | ||
154 | |||
155 | HostbasedAuthentication | ||
156 | Specifies whether to try rhosts based authentication with public | ||
157 | key authentication. The argument must be ``yes'' or ``no''. The | ||
158 | default is ``no''. This option applies to protocol version 2 | ||
159 | only and is similar to RhostsRSAAuthentication. | ||
160 | |||
161 | HostKeyAlgorithms | ||
162 | Specifies the protocol version 2 host key algorithms that the | ||
163 | client wants to use in order of preference. The default for this | ||
164 | option is: ``ssh-rsa,ssh-dss''. | ||
165 | |||
166 | HostKeyAlias | ||
167 | Specifies an alias that should be used instead of the real host | ||
168 | name when looking up or saving the host key in the host key | ||
169 | database files. This option is useful for tunneling ssh connecM-- | ||
170 | tions or for multiple servers running on a single host. | ||
171 | |||
172 | HostName | ||
173 | Specifies the real host name to log into. This can be used to | ||
174 | specify nicknames or abbreviations for hosts. Default is the | ||
175 | name given on the command line. Numeric IP addresses are also | ||
176 | permitted (both on the command line and in HostName specificaM-- | ||
177 | tions). | ||
178 | |||
179 | IdentityFile | ||
180 | Specifies a file from which the user's RSA or DSA authentication | ||
181 | identity is read. The default is $HOME/.ssh/identity for protocol | ||
182 | version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for protoM-- | ||
183 | col version 2. Additionally, any identities represented by the | ||
184 | authentication agent will be used for authentication. The file | ||
185 | name may use the tilde syntax to refer to a user's home direcM-- | ||
186 | tory. It is possible to have multiple identity files specified | ||
187 | in configuration files; all these identities will be tried in | ||
188 | sequence. | ||
189 | |||
190 | KeepAlive | ||
191 | Specifies whether the system should send TCP keepalive messages | ||
192 | to the other side. If they are sent, death of the connection or | ||
193 | crash of one of the machines will be properly noticed. However, | ||
194 | this means that connections will die if the route is down temM-- | ||
195 | porarily, and some people find it annoying. | ||
196 | |||
197 | The default is ``yes'' (to send keepalives), and the client will | ||
198 | notice if the network goes down or the remote host dies. This is | ||
199 | important in scripts, and many users want it too. | ||
200 | |||
201 | To disable keepalives, the value should be set to ``no''. | ||
202 | |||
203 | KerberosAuthentication | ||
204 | Specifies whether Kerberos authentication will be used. The | ||
205 | argument to this keyword must be ``yes'' or ``no''. | ||
206 | |||
207 | KerberosTgtPassing | ||
208 | Specifies whether a Kerberos TGT will be forwarded to the server. | ||
209 | This will only work if the Kerberos server is actually an AFS | ||
210 | kaserver. The argument to this keyword must be ``yes'' or | ||
211 | ``no''. | ||
212 | |||
213 | LocalForward | ||
214 | Specifies that a TCP/IP port on the local machine be forwarded | ||
215 | over the secure channel to the specified host and port from the | ||
216 | remote machine. The first argument must be a port number, and | ||
217 | the second must be host:port. IPv6 addresses can be specified | ||
218 | with an alternative syntax: host/port. Multiple forwardings may | ||
219 | be specified, and additional forwardings can be given on the comM-- | ||
220 | mand line. Only the superuser can forward privileged ports. | ||
221 | |||
222 | LogLevel | ||
223 | Gives the verbosity level that is used when logging messages from | ||
224 | ssh. The possible values are: QUIET, FATAL, ERROR, INFO, VERM-- | ||
225 | BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. | ||
226 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | ||
227 | higher levels of verbose output. | ||
228 | |||
229 | MACs Specifies the MAC (message authentication code) algorithms in | ||
230 | order of preference. The MAC algorithm is used in protocol verM-- | ||
231 | sion 2 for data integrity protection. Multiple algorithms must | ||
232 | be comma-separated. The default is | ||
233 | ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''. | ||
234 | |||
235 | NoHostAuthenticationForLocalhost | ||
236 | This option can be used if the home directory is shared across | ||
237 | machines. In this case localhost will refer to a different | ||
238 | machine on each of the machines and the user will get many warnM-- | ||
239 | ings about changed host keys. However, this option disables host | ||
240 | authentication for localhost. The argument to this keyword must | ||
241 | be ``yes'' or ``no''. The default is to check the host key for | ||
242 | localhost. | ||
243 | |||
244 | NumberOfPasswordPrompts | ||
245 | Specifies the number of password prompts before giving up. The | ||
246 | argument to this keyword must be an integer. Default is 3. | ||
247 | |||
248 | PasswordAuthentication | ||
249 | Specifies whether to use password authentication. The argument | ||
250 | to this keyword must be ``yes'' or ``no''. The default is | ||
251 | ``yes''. | ||
252 | |||
253 | Port Specifies the port number to connect on the remote host. Default | ||
254 | is 22. | ||
255 | |||
256 | PreferredAuthentications | ||
257 | Specifies the order in which the client should try protocol 2 | ||
258 | authentication methods. This allows a client to prefer one method | ||
259 | (e.g. keyboard-interactive) over another method (e.g. password) | ||
260 | The default for this option is: | ||
261 | ``hostbased,publickey,keyboard-interactive,password''. | ||
262 | |||
263 | Protocol | ||
264 | Specifies the protocol versions ssh should support in order of | ||
265 | preference. The possible values are ``1'' and ``2''. Multiple | ||
266 | versions must be comma-separated. The default is ``2,1''. This | ||
267 | means that ssh tries version 2 and falls back to version 1 if | ||
268 | version 2 is not available. | ||
269 | |||
270 | ProxyCommand | ||
271 | Specifies the command to use to connect to the server. The comM-- | ||
272 | mand string extends to the end of the line, and is executed with | ||
273 | /bin/sh. In the command string, `%h' will be substituted by the | ||
274 | host name to connect and `%p' by the port. The command can be | ||
275 | basically anything, and should read from its standard input and | ||
276 | write to its standard output. It should eventually connect an | ||
277 | sshd(8) server running on some machine, or execute sshd -i someM-- | ||
278 | where. Host key management will be done using the HostName of | ||
279 | the host being connected (defaulting to the name typed by the | ||
280 | user). Note that CheckHostIP is not available for connects with | ||
281 | a proxy command. | ||
282 | |||
283 | PubkeyAuthentication | ||
284 | Specifies whether to try public key authentication. The argument | ||
285 | to this keyword must be ``yes'' or ``no''. The default is | ||
286 | ``yes''. This option applies to protocol version 2 only. | ||
287 | |||
288 | RemoteForward | ||
289 | Specifies that a TCP/IP port on the remote machine be forwarded | ||
290 | over the secure channel to the specified host and port from the | ||
291 | local machine. The first argument must be a port number, and the | ||
292 | second must be host:port. IPv6 addresses can be specified with | ||
293 | an alternative syntax: host/port. Multiple forwardings may be | ||
294 | specified, and additional forwardings can be given on the command | ||
295 | line. Only the superuser can forward privileged ports. | ||
296 | |||
297 | RhostsAuthentication | ||
298 | Specifies whether to try rhosts based authentication. Note that | ||
299 | this declaration only affects the client side and has no effect | ||
300 | whatsoever on security. Most servers do not permit RhostsAuthenM-- | ||
301 | tication because it is not secure (see RhostsRSAAuthentication). | ||
302 | The argument to this keyword must be ``yes'' or ``no''. The | ||
303 | default is ``no''. This option applies to protocol version 1 | ||
304 | only. | ||
305 | |||
306 | RhostsRSAAuthentication | ||
307 | Specifies whether to try rhosts based authentication with RSA | ||
308 | host authentication. The argument must be ``yes'' or ``no''. | ||
309 | The default is ``no''. This option applies to protocol version 1 | ||
310 | only and requires ssh to be setuid root. | ||
311 | |||
312 | RSAAuthentication | ||
313 | Specifies whether to try RSA authentication. The argument to | ||
314 | this keyword must be ``yes'' or ``no''. RSA authentication will | ||
315 | only be attempted if the identity file exists, or an authenticaM-- | ||
316 | tion agent is running. The default is ``yes''. Note that this | ||
317 | option applies to protocol version 1 only. | ||
318 | |||
319 | SmartcardDevice | ||
320 | Specifies which smartcard device to use. The argument to this | ||
321 | keyword is the device ssh should use to communicate with a smartM-- | ||
322 | card used for storing the user's private RSA key. By default, no | ||
323 | device is specified and smartcard support is not activated. | ||
324 | |||
325 | StrictHostKeyChecking | ||
326 | If this flag is set to ``yes'', ssh will never automatically add | ||
327 | host keys to the $HOME/.ssh/known_hosts file, and refuses to conM-- | ||
328 | nect to hosts whose host key has changed. This provides maximum | ||
329 | protection against trojan horse attacks, however, can be annoying | ||
330 | when the /etc/ssh/ssh_known_hosts file is poorly maintained, or | ||
331 | connections to new hosts are frequently made. This option forces | ||
332 | the user to manually add all new hosts. If this flag is set to | ||
333 | ``no'', ssh will automatically add new host keys to the user | ||
334 | known hosts files. If this flag is set to ``ask'', new host keys | ||
335 | will be added to the user known host files only after the user | ||
336 | has confirmed that is what they really want to do, and ssh will | ||
337 | refuse to connect to hosts whose host key has changed. The host | ||
338 | keys of known hosts will be verified automatically in all cases. | ||
339 | The argument must be ``yes'', ``no'' or ``ask''. The default is | ||
340 | ``ask''. | ||
341 | |||
342 | UsePrivilegedPort | ||
343 | Specifies whether to use a privileged port for outgoing connecM-- | ||
344 | tions. The argument must be ``yes'' or ``no''. The default is | ||
345 | ``no''. Note that this option must be set to ``yes'' if | ||
346 | RhostsAuthentication and RhostsRSAAuthentication authentications | ||
347 | are needed with older servers. | ||
348 | |||
349 | User Specifies the user to log in as. This can be useful when a difM-- | ||
350 | ferent user name is used on different machines. This saves the | ||
351 | trouble of having to remember to give the user name on the comM-- | ||
352 | mand line. | ||
353 | |||
354 | UserKnownHostsFile | ||
355 | Specifies a file to use for the user host key database instead of | ||
356 | $HOME/.ssh/known_hosts. | ||
357 | |||
358 | XAuthLocation | ||
359 | Specifies the location of the xauth(1) program. The default is | ||
360 | /usr/X11R6/bin/xauth. | ||
361 | |||
362 | FILES | ||
363 | $HOME/.ssh/config | ||
364 | This is the per-user configuration file. The format of this file | ||
365 | is described above. This file is used by the ssh client. This | ||
366 | file does not usually contain any sensitive information, but the | ||
367 | recommended permissions are read/write for the user, and not | ||
368 | accessible by others. | ||
369 | |||
370 | /etc/ssh/ssh_config | ||
371 | Systemwide configuration file. This file provides defaults for | ||
372 | those values that are not specified in the user's configuration | ||
373 | file, and for those users who do not have a configuration file. | ||
374 | This file must be world-readable. | ||
375 | |||
376 | AUTHORS | ||
377 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | ||
378 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | ||
379 | de Raadt and Dug Song removed many bugs, re-added newer features and creM-- | ||
380 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | ||
381 | versions 1.5 and 2.0. | ||
382 | |||
383 | SEE ALSO | ||
384 | ssh(1) | ||
385 | |||
386 | BSD September 25, 1999 BSD | ||