diff options
author | Colin Watson <cjwatson@debian.org> | 2006-05-12 07:53:24 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2006-05-12 07:53:24 +0000 |
commit | 3e2e0ac10674d77618c4c7339e18b83ced247492 (patch) | |
tree | 8c7fd1c2333a75d57aa1cb5dfaee2310b1f3d37a /ssh_config.0 | |
parent | 56cf3dc50961bcc871a2d86984049e80c24d6456 (diff) | |
parent | 16704d57999d987fb8d9ba53379841a79f016d67 (diff) |
Import OpenSSH 4.3p2.
Diffstat (limited to 'ssh_config.0')
-rw-r--r-- | ssh_config.0 | 596 |
1 files changed, 596 insertions, 0 deletions
diff --git a/ssh_config.0 b/ssh_config.0 new file mode 100644 index 000000000..46a0543c3 --- /dev/null +++ b/ssh_config.0 | |||
@@ -0,0 +1,596 @@ | |||
1 | SSH_CONFIG(5) OpenBSD Programmer's Manual SSH_CONFIG(5) | ||
2 | |||
3 | NAME | ||
4 | ssh_config - OpenSSH SSH client configuration files | ||
5 | |||
6 | SYNOPSIS | ||
7 | ~/.ssh/config | ||
8 | /etc/ssh/ssh_config | ||
9 | |||
10 | DESCRIPTION | ||
11 | ssh obtains configuration data from the following sources in the follow- | ||
12 | ing order: | ||
13 | 1. command-line options | ||
14 | 2. user's configuration file (~/.ssh/config) | ||
15 | 3. system-wide configuration file (/etc/ssh/ssh_config) | ||
16 | |||
17 | For each parameter, the first obtained value will be used. The configu- | ||
18 | ration files contain sections separated by ``Host'' specifications, and | ||
19 | that section is only applied for hosts that match one of the patterns | ||
20 | given in the specification. The matched host name is the one given on | ||
21 | the command line. | ||
22 | |||
23 | Since the first obtained value for each parameter is used, more host-spe- | ||
24 | cific declarations should be given near the beginning of the file, and | ||
25 | general defaults at the end. | ||
26 | |||
27 | The configuration file has the following format: | ||
28 | |||
29 | Empty lines and lines starting with `#' are comments. | ||
30 | |||
31 | Otherwise a line is of the format ``keyword arguments''. Configuration | ||
32 | options may be separated by whitespace or optional whitespace and exactly | ||
33 | one `='; the latter format is useful to avoid the need to quote whites- | ||
34 | pace when specifying configuration options using the ssh, scp and sftp -o | ||
35 | option. | ||
36 | |||
37 | The possible keywords and their meanings are as follows (note that key- | ||
38 | words are case-insensitive and arguments are case-sensitive): | ||
39 | |||
40 | Host Restricts the following declarations (up to the next Host key- | ||
41 | word) to be only for those hosts that match one of the patterns | ||
42 | given after the keyword. `*' and `?' can be used as wildcards in | ||
43 | the patterns. A single `*' as a pattern can be used to provide | ||
44 | global defaults for all hosts. The host is the hostname argument | ||
45 | given on the command line (i.e., the name is not converted to a | ||
46 | canonicalized host name before matching). | ||
47 | |||
48 | AddressFamily | ||
49 | Specifies which address family to use when connecting. Valid ar- | ||
50 | guments are ``any'', ``inet'' (use IPv4 only) or ``inet6'' (use | ||
51 | IPv6 only). | ||
52 | |||
53 | BatchMode | ||
54 | If set to ``yes'', passphrase/password querying will be disabled. | ||
55 | This option is useful in scripts and other batch jobs where no | ||
56 | user is present to supply the password. The argument must be | ||
57 | ``yes'' or ``no''. The default is ``no''. | ||
58 | |||
59 | BindAddress | ||
60 | Use the specified address on the local machine as the source ad- | ||
61 | dress of the connection. Only useful on systems with more than | ||
62 | one address. Note that this option does not work if | ||
63 | UsePrivilegedPort is set to ``yes''. | ||
64 | |||
65 | ChallengeResponseAuthentication | ||
66 | Specifies whether to use challenge response authentication. The | ||
67 | argument to this keyword must be ``yes'' or ``no''. The default | ||
68 | is ``yes''. | ||
69 | |||
70 | CheckHostIP | ||
71 | If this flag is set to ``yes'', ssh will additionally check the | ||
72 | host IP address in the known_hosts file. This allows ssh to de- | ||
73 | tect if a host key changed due to DNS spoofing. If the option is | ||
74 | set to ``no'', the check will not be executed. The default is | ||
75 | ``yes''. | ||
76 | |||
77 | Cipher Specifies the cipher to use for encrypting the session in proto- | ||
78 | col version 1. Currently, ``blowfish'', ``3des'', and ``des'' | ||
79 | are supported. des is only supported in the ssh client for in- | ||
80 | teroperability with legacy protocol 1 implementations that do not | ||
81 | support the 3des cipher. Its use is strongly discouraged due to | ||
82 | cryptographic weaknesses. The default is ``3des''. | ||
83 | |||
84 | Ciphers | ||
85 | Specifies the ciphers allowed for protocol version 2 in order of | ||
86 | preference. Multiple ciphers must be comma-separated. The sup- | ||
87 | ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', | ||
88 | ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', | ||
89 | ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'', | ||
90 | and ``cast128-cbc''. The default is | ||
91 | |||
92 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, | ||
93 | arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, | ||
94 | aes192-ctr,aes256-ctr'' | ||
95 | |||
96 | ClearAllForwardings | ||
97 | Specifies that all local, remote and dynamic port forwardings | ||
98 | specified in the configuration files or on the command line be | ||
99 | cleared. This option is primarily useful when used from the ssh | ||
100 | command line to clear port forwardings set in configuration | ||
101 | files, and is automatically set by scp(1) and sftp(1). The argu- | ||
102 | ment must be ``yes'' or ``no''. The default is ``no''. | ||
103 | |||
104 | Compression | ||
105 | Specifies whether to use compression. The argument must be | ||
106 | ``yes'' or ``no''. The default is ``no''. | ||
107 | |||
108 | CompressionLevel | ||
109 | Specifies the compression level to use if compression is enabled. | ||
110 | The argument must be an integer from 1 (fast) to 9 (slow, best). | ||
111 | The default level is 6, which is good for most applications. The | ||
112 | meaning of the values is the same as in gzip(1). Note that this | ||
113 | option applies to protocol version 1 only. | ||
114 | |||
115 | ConnectionAttempts | ||
116 | Specifies the number of tries (one per second) to make before ex- | ||
117 | iting. The argument must be an integer. This may be useful in | ||
118 | scripts if the connection sometimes fails. The default is 1. | ||
119 | |||
120 | ConnectTimeout | ||
121 | Specifies the timeout (in seconds) used when connecting to the | ||
122 | ssh server, instead of using the default system TCP timeout. | ||
123 | This value is used only when the target is down or really un- | ||
124 | reachable, not when it refuses the connection. | ||
125 | |||
126 | ControlMaster | ||
127 | Enables the sharing of multiple sessions over a single network | ||
128 | connection. When set to ``yes'' ssh will listen for connections | ||
129 | on a control socket specified using the ControlPath argument. | ||
130 | Additional sessions can connect to this socket using the same | ||
131 | ControlPath with ControlMaster set to ``no'' (the default). | ||
132 | These sessions will try to reuse the master instance's network | ||
133 | connection rather than initiating new ones, but will fall back to | ||
134 | connecting normally if the control socket does not exist, or is | ||
135 | not listening. | ||
136 | |||
137 | Setting this to ``ask'' will cause ssh to listen for control con- | ||
138 | nections, but require confirmation using the SSH_ASKPASS program | ||
139 | before they are accepted (see ssh-add(1) for details). If the | ||
140 | ControlPath can not be opened, ssh will continue without connect- | ||
141 | ing to a master instance. | ||
142 | |||
143 | X11 and ssh-agent(1) forwarding is supported over these multi- | ||
144 | plexed connections, however the display and agent forwarded will | ||
145 | be the one belonging to the master connection i.e. it is not pos- | ||
146 | sible to forward multiple displays or agents. | ||
147 | |||
148 | Two additional options allow for opportunistic multiplexing: try | ||
149 | to use a master connection but fall back to creating a new one if | ||
150 | one does not already exist. These options are: ``auto'' and | ||
151 | ``autoask''. The latter requires confirmation like the ``ask'' | ||
152 | option. | ||
153 | |||
154 | ControlPath | ||
155 | Specify the path to the control socket used for connection shar- | ||
156 | ing as described in the ControlMaster section above or the string | ||
157 | ``none'' to disable connection sharing. In the path, `%h' will | ||
158 | be substituted by the target host name, `%p' the port and `%r' by | ||
159 | the remote login username. It is recommended that any | ||
160 | ControlPath used for opportunistic connection sharing include all | ||
161 | three of these escape sequences. This ensures that shared con- | ||
162 | nections are uniquely identified. | ||
163 | |||
164 | DynamicForward | ||
165 | Specifies that a TCP port on the local machine be forwarded over | ||
166 | the secure channel, and the application protocol is then used to | ||
167 | determine where to connect to from the remote machine. | ||
168 | |||
169 | The argument must be [bind_address:]port. IPv6 addresses can be | ||
170 | specified by enclosing addresses in square brackets or by using | ||
171 | an alternative syntax: [bind_address/]port. By default, the lo- | ||
172 | cal port is bound in accordance with the GatewayPorts setting. | ||
173 | However, an explicit bind_address may be used to bind the connec- | ||
174 | tion to a specific address. The bind_address of ``localhost'' | ||
175 | indicates that the listening port be bound for local use only, | ||
176 | while an empty address or `*' indicates that the port should be | ||
177 | available from all interfaces. | ||
178 | |||
179 | Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh | ||
180 | will act as a SOCKS server. Multiple forwardings may be speci- | ||
181 | fied, and additional forwardings can be given on the command | ||
182 | line. Only the superuser can forward privileged ports. | ||
183 | |||
184 | EnableSSHKeysign | ||
185 | Setting this option to ``yes'' in the global client configuration | ||
186 | file /etc/ssh/ssh_config enables the use of the helper program | ||
187 | ssh-keysign(8) during HostbasedAuthentication. The argument must | ||
188 | be ``yes'' or ``no''. The default is ``no''. This option should | ||
189 | be placed in the non-hostspecific section. See ssh-keysign(8) | ||
190 | for more information. | ||
191 | |||
192 | EscapeChar | ||
193 | Sets the escape character (default: `~'). The escape character | ||
194 | can also be set on the command line. The argument should be a | ||
195 | single character, `^' followed by a letter, or ``none'' to dis- | ||
196 | able the escape character entirely (making the connection trans- | ||
197 | parent for binary data). | ||
198 | |||
199 | ForwardAgent | ||
200 | Specifies whether the connection to the authentication agent (if | ||
201 | any) will be forwarded to the remote machine. The argument must | ||
202 | be ``yes'' or ``no''. The default is ``no''. | ||
203 | |||
204 | Agent forwarding should be enabled with caution. Users with the | ||
205 | ability to bypass file permissions on the remote host (for the | ||
206 | agent's Unix-domain socket) can access the local agent through | ||
207 | the forwarded connection. An attacker cannot obtain key material | ||
208 | from the agent, however they can perform operations on the keys | ||
209 | that enable them to authenticate using the identities loaded into | ||
210 | the agent. | ||
211 | |||
212 | ForwardX11 | ||
213 | Specifies whether X11 connections will be automatically redirect- | ||
214 | ed over the secure channel and DISPLAY set. The argument must be | ||
215 | ``yes'' or ``no''. The default is ``no''. | ||
216 | |||
217 | X11 forwarding should be enabled with caution. Users with the | ||
218 | ability to bypass file permissions on the remote host (for the | ||
219 | user's X11 authorization database) can access the local X11 dis- | ||
220 | play through the forwarded connection. An attacker may then be | ||
221 | able to perform activities such as keystroke monitoring if the | ||
222 | ForwardX11Trusted option is also enabled. | ||
223 | |||
224 | ForwardX11Trusted | ||
225 | If this option is set to ``yes'' then remote X11 clients will | ||
226 | have full access to the original X11 display. | ||
227 | |||
228 | If this option is set to ``no'' then remote X11 clients will be | ||
229 | considered untrusted and prevented from stealing or tampering | ||
230 | with data belonging to trusted X11 clients. Furthermore, the | ||
231 | xauth(1) token used for the session will be set to expire after | ||
232 | 20 minutes. Remote clients will be refused access after this | ||
233 | time. | ||
234 | |||
235 | The default is ``no''. | ||
236 | |||
237 | See the X11 SECURITY extension specification for full details on | ||
238 | the restrictions imposed on untrusted clients. | ||
239 | |||
240 | GatewayPorts | ||
241 | Specifies whether remote hosts are allowed to connect to local | ||
242 | forwarded ports. By default, ssh binds local port forwardings to | ||
243 | the loopback address. This prevents other remote hosts from con- | ||
244 | necting to forwarded ports. GatewayPorts can be used to specify | ||
245 | that ssh should bind local port forwardings to the wildcard ad- | ||
246 | dress, thus allowing remote hosts to connect to forwarded ports. | ||
247 | The argument must be ``yes'' or ``no''. The default is ``no''. | ||
248 | |||
249 | GlobalKnownHostsFile | ||
250 | Specifies a file to use for the global host key database instead | ||
251 | of /etc/ssh/ssh_known_hosts. | ||
252 | |||
253 | GSSAPIAuthentication | ||
254 | Specifies whether user authentication based on GSSAPI is allowed. | ||
255 | The default is ``no''. Note that this option applies to protocol | ||
256 | version 2 only. | ||
257 | |||
258 | GSSAPIDelegateCredentials | ||
259 | Forward (delegate) credentials to the server. The default is | ||
260 | ``no''. Note that this option applies to protocol version 2 on- | ||
261 | ly. | ||
262 | |||
263 | HashKnownHosts | ||
264 | Indicates that ssh should hash host names and addresses when they | ||
265 | are added to ~/.ssh/known_hosts. These hashed names may be used | ||
266 | normally by ssh and sshd, but they do not reveal identifying in- | ||
267 | formation should the file's contents be disclosed. The default | ||
268 | is ``no''. Note that hashing of names and addresses will not be | ||
269 | retrospectively applied to existing known hosts files, but these | ||
270 | may be manually hashed using ssh-keygen(1). | ||
271 | |||
272 | HostbasedAuthentication | ||
273 | Specifies whether to try rhosts based authentication with public | ||
274 | key authentication. The argument must be ``yes'' or ``no''. The | ||
275 | default is ``no''. This option applies to protocol version 2 on- | ||
276 | ly and is similar to RhostsRSAAuthentication. | ||
277 | |||
278 | HostKeyAlgorithms | ||
279 | Specifies the protocol version 2 host key algorithms that the | ||
280 | client wants to use in order of preference. The default for this | ||
281 | option is: ``ssh-rsa,ssh-dss''. | ||
282 | |||
283 | HostKeyAlias | ||
284 | Specifies an alias that should be used instead of the real host | ||
285 | name when looking up or saving the host key in the host key | ||
286 | database files. This option is useful for tunneling ssh connec- | ||
287 | tions or for multiple servers running on a single host. | ||
288 | |||
289 | HostName | ||
290 | Specifies the real host name to log into. This can be used to | ||
291 | specify nicknames or abbreviations for hosts. Default is the | ||
292 | name given on the command line. Numeric IP addresses are also | ||
293 | permitted (both on the command line and in HostName specifica- | ||
294 | tions). | ||
295 | |||
296 | IdentitiesOnly | ||
297 | Specifies that ssh should only use the authentication identity | ||
298 | files configured in the ssh_config files, even if the ssh-agent | ||
299 | offers more identities. The argument to this keyword must be | ||
300 | ``yes'' or ``no''. This option is intended for situations where | ||
301 | ssh-agent offers many different identities. The default is | ||
302 | ``no''. | ||
303 | |||
304 | IdentityFile | ||
305 | Specifies a file from which the user's RSA or DSA authentication | ||
306 | identity is read. The default is ~/.ssh/identity for protocol | ||
307 | version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver- | ||
308 | sion 2. Additionally, any identities represented by the authen- | ||
309 | tication agent will be used for authentication. The file name | ||
310 | may use the tilde syntax to refer to a user's home directory. It | ||
311 | is possible to have multiple identity files specified in configu- | ||
312 | ration files; all these identities will be tried in sequence. | ||
313 | |||
314 | KbdInteractiveDevices | ||
315 | Specifies the list of methods to use in keyboard-interactive au- | ||
316 | thentication. Multiple method names must be comma-separated. | ||
317 | The default is to use the server specified list. | ||
318 | |||
319 | LocalCommand | ||
320 | Specifies a command to execute on the local machine after suc- | ||
321 | cessfully connecting to the server. The command string extends | ||
322 | to the end of the line, and is executed with /bin/sh. This di- | ||
323 | rective is ignored unless PermitLocalCommand has been enabled. | ||
324 | |||
325 | LocalForward | ||
326 | Specifies that a TCP port on the local machine be forwarded over | ||
327 | the secure channel to the specified host and port from the remote | ||
328 | machine. The first argument must be [bind_address:]port and the | ||
329 | second argument must be host:hostport. IPv6 addresses can be | ||
330 | specified by enclosing addresses in square brackets or by using | ||
331 | an alternative syntax: [bind_address/]port and host/hostport. | ||
332 | Multiple forwardings may be specified, and additional forwardings | ||
333 | can be given on the command line. Only the superuser can forward | ||
334 | privileged ports. By default, the local port is bound in accor- | ||
335 | dance with the GatewayPorts setting. However, an explicit | ||
336 | bind_address may be used to bind the connection to a specific ad- | ||
337 | dress. The bind_address of ``localhost'' indicates that the lis- | ||
338 | tening port be bound for local use only, while an empty address | ||
339 | or `*' indicates that the port should be available from all in- | ||
340 | terfaces. | ||
341 | |||
342 | LogLevel | ||
343 | Gives the verbosity level that is used when logging messages from | ||
344 | ssh. The possible values are: QUIET, FATAL, ERROR, INFO, VER- | ||
345 | BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. | ||
346 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | ||
347 | higher levels of verbose output. | ||
348 | |||
349 | MACs Specifies the MAC (message authentication code) algorithms in or- | ||
350 | der of preference. The MAC algorithm is used in protocol version | ||
351 | 2 for data integrity protection. Multiple algorithms must be | ||
352 | comma-separated. The default is ``hmac-md5,hmac-sha1,hmac- | ||
353 | ripemd160,hmac-sha1-96,hmac-md5-96''. | ||
354 | |||
355 | NoHostAuthenticationForLocalhost | ||
356 | This option can be used if the home directory is shared across | ||
357 | machines. In this case localhost will refer to a different ma- | ||
358 | chine on each of the machines and the user will get many warnings | ||
359 | about changed host keys. However, this option disables host au- | ||
360 | thentication for localhost. The argument to this keyword must be | ||
361 | ``yes'' or ``no''. The default is to check the host key for lo- | ||
362 | calhost. | ||
363 | |||
364 | NumberOfPasswordPrompts | ||
365 | Specifies the number of password prompts before giving up. The | ||
366 | argument to this keyword must be an integer. Default is 3. | ||
367 | |||
368 | PasswordAuthentication | ||
369 | Specifies whether to use password authentication. The argument | ||
370 | to this keyword must be ``yes'' or ``no''. The default is | ||
371 | ``yes''. | ||
372 | |||
373 | PermitLocalCommand | ||
374 | Allow local command execution via the LocalCommand option or us- | ||
375 | ing the !command escape sequence in ssh(1). The argument must be | ||
376 | ``yes'' or ``no''. The default is ``no''. | ||
377 | |||
378 | Port Specifies the port number to connect on the remote host. Default | ||
379 | is 22. | ||
380 | |||
381 | PreferredAuthentications | ||
382 | Specifies the order in which the client should try protocol 2 au- | ||
383 | thentication methods. This allows a client to prefer one method | ||
384 | (e.g. keyboard-interactive) over another method (e.g. password) | ||
385 | The default for this option is: ``hostbased,publickey,keyboard- | ||
386 | interactive,password''. | ||
387 | |||
388 | Protocol | ||
389 | Specifies the protocol versions ssh should support in order of | ||
390 | preference. The possible values are ``1'' and ``2''. Multiple | ||
391 | versions must be comma-separated. The default is ``2,1''. This | ||
392 | means that ssh tries version 2 and falls back to version 1 if | ||
393 | version 2 is not available. | ||
394 | |||
395 | ProxyCommand | ||
396 | Specifies the command to use to connect to the server. The com- | ||
397 | mand string extends to the end of the line, and is executed with | ||
398 | /bin/sh. In the command string, `%h' will be substituted by the | ||
399 | host name to connect and `%p' by the port. The command can be | ||
400 | basically anything, and should read from its standard input and | ||
401 | write to its standard output. It should eventually connect an | ||
402 | sshd(8) server running on some machine, or execute sshd -i some- | ||
403 | where. Host key management will be done using the HostName of | ||
404 | the host being connected (defaulting to the name typed by the us- | ||
405 | er). Setting the command to ``none'' disables this option en- | ||
406 | tirely. Note that CheckHostIP is not available for connects with | ||
407 | a proxy command. | ||
408 | |||
409 | This directive is useful in conjunction with nc(1) and its proxy | ||
410 | support. For example, the following directive would connect via | ||
411 | an HTTP proxy at 192.0.2.0: | ||
412 | |||
413 | ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p | ||
414 | |||
415 | PubkeyAuthentication | ||
416 | Specifies whether to try public key authentication. The argument | ||
417 | to this keyword must be ``yes'' or ``no''. The default is | ||
418 | ``yes''. This option applies to protocol version 2 only. | ||
419 | |||
420 | RekeyLimit | ||
421 | Specifies the maximum amount of data that may be transmitted be- | ||
422 | fore the session key is renegotiated. The argument is the number | ||
423 | of bytes, with an optional suffix of `K', `M', or `G' to indicate | ||
424 | Kilobytes, Megabytes, or Gigabytes, respectively. The default is | ||
425 | between ``1G'' and ``4G'', depending on the cipher. This option | ||
426 | applies to protocol version 2 only. | ||
427 | |||
428 | RemoteForward | ||
429 | Specifies that a TCP port on the remote machine be forwarded over | ||
430 | the secure channel to the specified host and port from the local | ||
431 | machine. The first argument must be [bind_address:]port and the | ||
432 | second argument must be host:hostport. IPv6 addresses can be | ||
433 | specified by enclosing addresses in square brackets or by using | ||
434 | an alternative syntax: [bind_address/]port and host/hostport. | ||
435 | Multiple forwardings may be specified, and additional forwardings | ||
436 | can be given on the command line. Only the superuser can forward | ||
437 | privileged ports. | ||
438 | |||
439 | If the bind_address is not specified, the default is to only bind | ||
440 | to loopback addresses. If the bind_address is `*' or an empty | ||
441 | string, then the forwarding is requested to listen on all inter- | ||
442 | faces. Specifying a remote bind_address will only succeed if the | ||
443 | server's GatewayPorts option is enabled (see sshd_config(5)). | ||
444 | |||
445 | RhostsRSAAuthentication | ||
446 | Specifies whether to try rhosts based authentication with RSA | ||
447 | host authentication. The argument must be ``yes'' or ``no''. | ||
448 | The default is ``no''. This option applies to protocol version 1 | ||
449 | only and requires ssh to be setuid root. | ||
450 | |||
451 | RSAAuthentication | ||
452 | Specifies whether to try RSA authentication. The argument to | ||
453 | this keyword must be ``yes'' or ``no''. RSA authentication will | ||
454 | only be attempted if the identity file exists, or an authentica- | ||
455 | tion agent is running. The default is ``yes''. Note that this | ||
456 | option applies to protocol version 1 only. | ||
457 | |||
458 | SendEnv | ||
459 | Specifies what variables from the local environ(7) should be sent | ||
460 | to the server. Note that environment passing is only supported | ||
461 | for protocol 2, the server must also support it, and the server | ||
462 | must be configured to accept these environment variables. Refer | ||
463 | to AcceptEnv in sshd_config(5) for how to configure the server. | ||
464 | Variables are specified by name, which may contain the wildcard | ||
465 | characters `*' and `?'. Multiple environment variables may be | ||
466 | separated by whitespace or spread across multiple SendEnv direc- | ||
467 | tives. The default is not to send any environment variables. | ||
468 | |||
469 | ServerAliveCountMax | ||
470 | Sets the number of server alive messages (see below) which may be | ||
471 | sent without ssh receiving any messages back from the server. If | ||
472 | this threshold is reached while server alive messages are being | ||
473 | sent, ssh will disconnect from the server, terminating the ses- | ||
474 | sion. It is important to note that the use of server alive mes- | ||
475 | sages is very different from TCPKeepAlive (below). The server | ||
476 | alive messages are sent through the encrypted channel and there- | ||
477 | fore will not be spoofable. The TCP keepalive option enabled by | ||
478 | TCPKeepAlive is spoofable. The server alive mechanism is valu- | ||
479 | able when the client or server depend on knowing when a connec- | ||
480 | tion has become inactive. | ||
481 | |||
482 | The default value is 3. If, for example, ServerAliveInterval | ||
483 | (see below) is set to 15, and ServerAliveCountMax is left at the | ||
484 | default, if the server becomes unresponsive ssh will disconnect | ||
485 | after approximately 45 seconds. | ||
486 | |||
487 | ServerAliveInterval | ||
488 | Sets a timeout interval in seconds after which if no data has | ||
489 | been received from the server, ssh will send a message through | ||
490 | the encrypted channel to request a response from the server. The | ||
491 | default is 0, indicating that these messages will not be sent to | ||
492 | the server. This option applies to protocol version 2 only. | ||
493 | |||
494 | SmartcardDevice | ||
495 | Specifies which smartcard device to use. The argument to this | ||
496 | keyword is the device ssh should use to communicate with a smart- | ||
497 | card used for storing the user's private RSA key. By default, no | ||
498 | device is specified and smartcard support is not activated. | ||
499 | |||
500 | StrictHostKeyChecking | ||
501 | If this flag is set to ``yes'', ssh will never automatically add | ||
502 | host keys to the ~/.ssh/known_hosts file, and refuses to connect | ||
503 | to hosts whose host key has changed. This provides maximum pro- | ||
504 | tection against trojan horse attacks, however, can be annoying | ||
505 | when the /etc/ssh/ssh_known_hosts file is poorly maintained, or | ||
506 | connections to new hosts are frequently made. This option forces | ||
507 | the user to manually add all new hosts. If this flag is set to | ||
508 | ``no'', ssh will automatically add new host keys to the user | ||
509 | known hosts files. If this flag is set to ``ask'', new host keys | ||
510 | will be added to the user known host files only after the user | ||
511 | has confirmed that is what they really want to do, and ssh will | ||
512 | refuse to connect to hosts whose host key has changed. The host | ||
513 | keys of known hosts will be verified automatically in all cases. | ||
514 | The argument must be ``yes'', ``no'' or ``ask''. The default is | ||
515 | ``ask''. | ||
516 | |||
517 | TCPKeepAlive | ||
518 | Specifies whether the system should send TCP keepalive messages | ||
519 | to the other side. If they are sent, death of the connection or | ||
520 | crash of one of the machines will be properly noticed. However, | ||
521 | this means that connections will die if the route is down tem- | ||
522 | porarily, and some people find it annoying. | ||
523 | |||
524 | The default is ``yes'' (to send TCP keepalive messages), and the | ||
525 | client will notice if the network goes down or the remote host | ||
526 | dies. This is important in scripts, and many users want it too. | ||
527 | |||
528 | To disable TCP keepalive messages, the value should be set to | ||
529 | ``no''. | ||
530 | |||
531 | Tunnel Request starting tun(4) device forwarding between the client and | ||
532 | the server. This option also allows requesting layer 2 (ether- | ||
533 | net) instead of layer 3 (point-to-point) tunneling from the serv- | ||
534 | er. The argument must be ``yes'', ``point-to-point'', | ||
535 | ``ethernet'' or ``no''. The default is ``no''. | ||
536 | |||
537 | TunnelDevice | ||
538 | Force a specified tun(4) device on the client. Without this op- | ||
539 | tion, the next available device will be used. | ||
540 | |||
541 | UsePrivilegedPort | ||
542 | Specifies whether to use a privileged port for outgoing connec- | ||
543 | tions. The argument must be ``yes'' or ``no''. The default is | ||
544 | ``no''. If set to ``yes'' ssh must be setuid root. Note that | ||
545 | this option must be set to ``yes'' for RhostsRSAAuthentication | ||
546 | with older servers. | ||
547 | |||
548 | User Specifies the user to log in as. This can be useful when a dif- | ||
549 | ferent user name is used on different machines. This saves the | ||
550 | trouble of having to remember to give the user name on the com- | ||
551 | mand line. | ||
552 | |||
553 | UserKnownHostsFile | ||
554 | Specifies a file to use for the user host key database instead of | ||
555 | ~/.ssh/known_hosts. | ||
556 | |||
557 | VerifyHostKeyDNS | ||
558 | Specifies whether to verify the remote key using DNS and SSHFP | ||
559 | resource records. If this option is set to ``yes'', the client | ||
560 | will implicitly trust keys that match a secure fingerprint from | ||
561 | DNS. Insecure fingerprints will be handled as if this option was | ||
562 | set to ``ask''. If this option is set to ``ask'', information on | ||
563 | fingerprint match will be displayed, but the user will still need | ||
564 | to confirm new host keys according to the StrictHostKeyChecking | ||
565 | option. The argument must be ``yes'', ``no'' or ``ask''. The | ||
566 | default is ``no''. Note that this option applies to protocol | ||
567 | version 2 only. | ||
568 | |||
569 | XAuthLocation | ||
570 | Specifies the full pathname of the xauth(1) program. The default | ||
571 | is /usr/X11R6/bin/xauth. | ||
572 | |||
573 | FILES | ||
574 | ~/.ssh/config | ||
575 | This is the per-user configuration file. The format of this file | ||
576 | is described above. This file is used by the ssh client. Be- | ||
577 | cause of the potential for abuse, this file must have strict per- | ||
578 | missions: read/write for the user, and not accessible by others. | ||
579 | |||
580 | /etc/ssh/ssh_config | ||
581 | Systemwide configuration file. This file provides defaults for | ||
582 | those values that are not specified in the user's configuration | ||
583 | file, and for those users who do not have a configuration file. | ||
584 | This file must be world-readable. | ||
585 | |||
586 | SEE ALSO | ||
587 | ssh(1) | ||
588 | |||
589 | AUTHORS | ||
590 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | ||
591 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | ||
592 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- | ||
593 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | ||
594 | versions 1.5 and 2.0. | ||
595 | |||
596 | OpenBSD 3.9 September 25, 1999 9 | ||