diff options
Diffstat (limited to 'ssh_config.0')
| -rw-r--r-- | ssh_config.0 | 92 |
1 files changed, 69 insertions, 23 deletions
diff --git a/ssh_config.0 b/ssh_config.0 index 8c84502cb..40e9d3001 100644 --- a/ssh_config.0 +++ b/ssh_config.0 | |||
| @@ -132,7 +132,8 @@ DESCRIPTION | |||
| 132 | Setting this option to ``yes'' in the global client configuration | 132 | Setting this option to ``yes'' in the global client configuration |
| 133 | file /etc/ssh/ssh_config enables the use of the helper program | 133 | file /etc/ssh/ssh_config enables the use of the helper program |
| 134 | ssh-keysign(8) during HostbasedAuthentication. The argument must | 134 | ssh-keysign(8) during HostbasedAuthentication. The argument must |
| 135 | be ``yes'' or ``no''. The default is ``no''. See ssh-keysign(8) | 135 | be ``yes'' or ``no''. The default is ``no''. This option should |
| 136 | be placed in the non-hostspecific section. See ssh-keysign(8) | ||
| 136 | for more information. | 137 | for more information. |
| 137 | 138 | ||
| 138 | EscapeChar | 139 | EscapeChar |
| @@ -162,9 +163,22 @@ DESCRIPTION | |||
| 162 | 163 | ||
| 163 | X11 forwarding should be enabled with caution. Users with the | 164 | X11 forwarding should be enabled with caution. Users with the |
| 164 | ability to bypass file permissions on the remote host (for the | 165 | ability to bypass file permissions on the remote host (for the |
| 165 | user's X authorization database) can access the local X11 display | 166 | user's X11 authorization database) can access the local X11 dis- |
| 166 | through the forwarded connection. An attacker may then be able | 167 | play through the forwarded connection. An attacker may then be |
| 167 | to perform activities such as keystroke monitoring. | 168 | able to perform activities such as keystroke monitoring if the |
| 169 | ForwardX11Trusted option is also enabled. | ||
| 170 | |||
| 171 | ForwardX11Trusted | ||
| 172 | If the this option is set to ``yes'' then remote X11 clients will | ||
| 173 | have full access to the original X11 display. If this option is | ||
| 174 | set to ``no'' then remote X11 clients will be considered untrust- | ||
| 175 | ed and prevented from stealing or tampering with data belonging | ||
| 176 | to trusted X11 clients. | ||
| 177 | |||
| 178 | The default is ``no''. | ||
| 179 | |||
| 180 | See the X11 SECURITY extension specification for full details on | ||
| 181 | the restrictions imposed on untrusted clients. | ||
| 168 | 182 | ||
| 169 | GatewayPorts | 183 | GatewayPorts |
| 170 | Specifies whether remote hosts are allowed to connect to local | 184 | Specifies whether remote hosts are allowed to connect to local |
| @@ -180,10 +194,9 @@ DESCRIPTION | |||
| 180 | of /etc/ssh/ssh_known_hosts. | 194 | of /etc/ssh/ssh_known_hosts. |
| 181 | 195 | ||
| 182 | GSSAPIAuthentication | 196 | GSSAPIAuthentication |
| 183 | Specifies whether authentication based on GSSAPI may be used, ei- | 197 | Specifies whether user authentication based on GSSAPI is allowed. |
| 184 | ther using the result of a successful key exchange, or using GSS- | 198 | The default is ``no''. Note that this option applies to protocol |
| 185 | API user authentication. The default is ``yes''. Note that this | 199 | version 2 only. |
| 186 | option applies to protocol version 2 only. | ||
| 187 | 200 | ||
| 188 | GSSAPIDelegateCredentials | 201 | GSSAPIDelegateCredentials |
| 189 | Forward (delegate) credentials to the server. The default is | 202 | Forward (delegate) credentials to the server. The default is |
| @@ -225,19 +238,6 @@ DESCRIPTION | |||
| 225 | fied in configuration files; all these identities will be tried | 238 | fied in configuration files; all these identities will be tried |
| 226 | in sequence. | 239 | in sequence. |
| 227 | 240 | ||
| 228 | KeepAlive | ||
| 229 | Specifies whether the system should send TCP keepalive messages | ||
| 230 | to the other side. If they are sent, death of the connection or | ||
| 231 | crash of one of the machines will be properly noticed. However, | ||
| 232 | this means that connections will die if the route is down tem- | ||
| 233 | porarily, and some people find it annoying. | ||
| 234 | |||
| 235 | The default is ``yes'' (to send keepalives), and the client will | ||
| 236 | notice if the network goes down or the remote host dies. This is | ||
| 237 | important in scripts, and many users want it too. | ||
| 238 | |||
| 239 | To disable keepalives, the value should be set to ``no''. | ||
| 240 | |||
| 241 | LocalForward | 241 | LocalForward |
| 242 | Specifies that a TCP/IP port on the local machine be forwarded | 242 | Specifies that a TCP/IP port on the local machine be forwarded |
| 243 | over the secure channel to the specified host and port from the | 243 | over the secure channel to the specified host and port from the |
| @@ -336,6 +336,31 @@ DESCRIPTION | |||
| 336 | tion agent is running. The default is ``yes''. Note that this | 336 | tion agent is running. The default is ``yes''. Note that this |
| 337 | option applies to protocol version 1 only. | 337 | option applies to protocol version 1 only. |
| 338 | 338 | ||
| 339 | ServerAliveInterval | ||
| 340 | Sets a timeout interval in seconds after which if no data has | ||
| 341 | been received from the server, ssh will send a message through | ||
| 342 | the encrypted channel to request a response from the server. The | ||
| 343 | default is 0, indicating that these messages will not be sent to | ||
| 344 | the server. This option applies to protocol version 2 only. | ||
| 345 | |||
| 346 | ServerAliveCountMax | ||
| 347 | Sets the number of server alive messages (see above) which may be | ||
| 348 | sent without ssh receiving any messages back from the server. If | ||
| 349 | this threshold is reached while server alive messages are being | ||
| 350 | sent, ssh will disconnect from the server, terminating the ses- | ||
| 351 | sion. It is important to note that the use of server alive mes- | ||
| 352 | sages is very different from TCPKeepAlive (below). The server | ||
| 353 | alive messages are sent through the encrypted channel and there- | ||
| 354 | fore will not be spoofable. The TCP keepalive option enabled by | ||
| 355 | TCPKeepAlive is spoofable. The server alive mechanism is valu- | ||
| 356 | able when the client or server depend on knowing when a connec- | ||
| 357 | tion has become inactive. | ||
| 358 | |||
| 359 | The default value is 3. If, for example, ServerAliveInterval | ||
| 360 | (above) is set to 15, and ServerAliveCountMax is left at the de- | ||
| 361 | fault, if the server becomes unresponsive ssh will disconnect af- | ||
| 362 | ter approximately 45 seconds. | ||
| 363 | |||
| 339 | SmartcardDevice | 364 | SmartcardDevice |
| 340 | Specifies which smartcard device to use. The argument to this | 365 | Specifies which smartcard device to use. The argument to this |
| 341 | keyword is the device ssh should use to communicate with a smart- | 366 | keyword is the device ssh should use to communicate with a smart- |
| @@ -359,6 +384,20 @@ DESCRIPTION | |||
| 359 | The argument must be ``yes'', ``no'' or ``ask''. The default is | 384 | The argument must be ``yes'', ``no'' or ``ask''. The default is |
| 360 | ``ask''. | 385 | ``ask''. |
| 361 | 386 | ||
| 387 | TCPKeepAlive | ||
| 388 | Specifies whether the system should send TCP keepalive messages | ||
| 389 | to the other side. If they are sent, death of the connection or | ||
| 390 | crash of one of the machines will be properly noticed. However, | ||
| 391 | this means that connections will die if the route is down tem- | ||
| 392 | porarily, and some people find it annoying. | ||
| 393 | |||
| 394 | The default is ``yes'' (to send TCP keepalive messages), and the | ||
| 395 | client will notice if the network goes down or the remote host | ||
| 396 | dies. This is important in scripts, and many users want it too. | ||
| 397 | |||
| 398 | To disable TCP keepalive messages, the value should be set to | ||
| 399 | ``no''. | ||
| 400 | |||
| 362 | UsePrivilegedPort | 401 | UsePrivilegedPort |
| 363 | Specifies whether to use a privileged port for outgoing connec- | 402 | Specifies whether to use a privileged port for outgoing connec- |
| 364 | tions. The argument must be ``yes'' or ``no''. The default is | 403 | tions. The argument must be ``yes'' or ``no''. The default is |
| @@ -377,8 +416,15 @@ DESCRIPTION | |||
| 377 | 416 | ||
| 378 | VerifyHostKeyDNS | 417 | VerifyHostKeyDNS |
| 379 | Specifies whether to verify the remote key using DNS and SSHFP | 418 | Specifies whether to verify the remote key using DNS and SSHFP |
| 380 | resource records. The default is ``no''. Note that this option | 419 | resource records. If this option is set to ``yes'', the client |
| 381 | applies to protocol version 2 only. | 420 | will implicitly trust keys that match a secure fingerprint from |
| 421 | DNS. Insecure fingerprints will be handled as if this option was | ||
| 422 | set to ``ask''. If this option is set to ``ask'', information on | ||
| 423 | fingerprint match will be displayed, but the user will still need | ||
| 424 | to confirm new host keys according to the StrictHostKeyChecking | ||
| 425 | option. The argument must be ``yes'', ``no'' or ``ask''. The | ||
| 426 | default is ``no''. Note that this option applies to protocol | ||
| 427 | version 2 only. | ||
| 382 | 428 | ||
| 383 | XAuthLocation | 429 | XAuthLocation |
| 384 | Specifies the full pathname of the xauth(1) program. The default | 430 | Specifies the full pathname of the xauth(1) program. The default |