diff options
Diffstat (limited to 'ssh_config.0')
-rw-r--r-- | ssh_config.0 | 92 |
1 files changed, 69 insertions, 23 deletions
diff --git a/ssh_config.0 b/ssh_config.0 index 8c84502cb..40e9d3001 100644 --- a/ssh_config.0 +++ b/ssh_config.0 | |||
@@ -132,7 +132,8 @@ DESCRIPTION | |||
132 | Setting this option to ``yes'' in the global client configuration | 132 | Setting this option to ``yes'' in the global client configuration |
133 | file /etc/ssh/ssh_config enables the use of the helper program | 133 | file /etc/ssh/ssh_config enables the use of the helper program |
134 | ssh-keysign(8) during HostbasedAuthentication. The argument must | 134 | ssh-keysign(8) during HostbasedAuthentication. The argument must |
135 | be ``yes'' or ``no''. The default is ``no''. See ssh-keysign(8) | 135 | be ``yes'' or ``no''. The default is ``no''. This option should |
136 | be placed in the non-hostspecific section. See ssh-keysign(8) | ||
136 | for more information. | 137 | for more information. |
137 | 138 | ||
138 | EscapeChar | 139 | EscapeChar |
@@ -162,9 +163,22 @@ DESCRIPTION | |||
162 | 163 | ||
163 | X11 forwarding should be enabled with caution. Users with the | 164 | X11 forwarding should be enabled with caution. Users with the |
164 | ability to bypass file permissions on the remote host (for the | 165 | ability to bypass file permissions on the remote host (for the |
165 | user's X authorization database) can access the local X11 display | 166 | user's X11 authorization database) can access the local X11 dis- |
166 | through the forwarded connection. An attacker may then be able | 167 | play through the forwarded connection. An attacker may then be |
167 | to perform activities such as keystroke monitoring. | 168 | able to perform activities such as keystroke monitoring if the |
169 | ForwardX11Trusted option is also enabled. | ||
170 | |||
171 | ForwardX11Trusted | ||
172 | If the this option is set to ``yes'' then remote X11 clients will | ||
173 | have full access to the original X11 display. If this option is | ||
174 | set to ``no'' then remote X11 clients will be considered untrust- | ||
175 | ed and prevented from stealing or tampering with data belonging | ||
176 | to trusted X11 clients. | ||
177 | |||
178 | The default is ``no''. | ||
179 | |||
180 | See the X11 SECURITY extension specification for full details on | ||
181 | the restrictions imposed on untrusted clients. | ||
168 | 182 | ||
169 | GatewayPorts | 183 | GatewayPorts |
170 | Specifies whether remote hosts are allowed to connect to local | 184 | Specifies whether remote hosts are allowed to connect to local |
@@ -180,10 +194,9 @@ DESCRIPTION | |||
180 | of /etc/ssh/ssh_known_hosts. | 194 | of /etc/ssh/ssh_known_hosts. |
181 | 195 | ||
182 | GSSAPIAuthentication | 196 | GSSAPIAuthentication |
183 | Specifies whether authentication based on GSSAPI may be used, ei- | 197 | Specifies whether user authentication based on GSSAPI is allowed. |
184 | ther using the result of a successful key exchange, or using GSS- | 198 | The default is ``no''. Note that this option applies to protocol |
185 | API user authentication. The default is ``yes''. Note that this | 199 | version 2 only. |
186 | option applies to protocol version 2 only. | ||
187 | 200 | ||
188 | GSSAPIDelegateCredentials | 201 | GSSAPIDelegateCredentials |
189 | Forward (delegate) credentials to the server. The default is | 202 | Forward (delegate) credentials to the server. The default is |
@@ -225,19 +238,6 @@ DESCRIPTION | |||
225 | fied in configuration files; all these identities will be tried | 238 | fied in configuration files; all these identities will be tried |
226 | in sequence. | 239 | in sequence. |
227 | 240 | ||
228 | KeepAlive | ||
229 | Specifies whether the system should send TCP keepalive messages | ||
230 | to the other side. If they are sent, death of the connection or | ||
231 | crash of one of the machines will be properly noticed. However, | ||
232 | this means that connections will die if the route is down tem- | ||
233 | porarily, and some people find it annoying. | ||
234 | |||
235 | The default is ``yes'' (to send keepalives), and the client will | ||
236 | notice if the network goes down or the remote host dies. This is | ||
237 | important in scripts, and many users want it too. | ||
238 | |||
239 | To disable keepalives, the value should be set to ``no''. | ||
240 | |||
241 | LocalForward | 241 | LocalForward |
242 | Specifies that a TCP/IP port on the local machine be forwarded | 242 | Specifies that a TCP/IP port on the local machine be forwarded |
243 | over the secure channel to the specified host and port from the | 243 | over the secure channel to the specified host and port from the |
@@ -336,6 +336,31 @@ DESCRIPTION | |||
336 | tion agent is running. The default is ``yes''. Note that this | 336 | tion agent is running. The default is ``yes''. Note that this |
337 | option applies to protocol version 1 only. | 337 | option applies to protocol version 1 only. |
338 | 338 | ||
339 | ServerAliveInterval | ||
340 | Sets a timeout interval in seconds after which if no data has | ||
341 | been received from the server, ssh will send a message through | ||
342 | the encrypted channel to request a response from the server. The | ||
343 | default is 0, indicating that these messages will not be sent to | ||
344 | the server. This option applies to protocol version 2 only. | ||
345 | |||
346 | ServerAliveCountMax | ||
347 | Sets the number of server alive messages (see above) which may be | ||
348 | sent without ssh receiving any messages back from the server. If | ||
349 | this threshold is reached while server alive messages are being | ||
350 | sent, ssh will disconnect from the server, terminating the ses- | ||
351 | sion. It is important to note that the use of server alive mes- | ||
352 | sages is very different from TCPKeepAlive (below). The server | ||
353 | alive messages are sent through the encrypted channel and there- | ||
354 | fore will not be spoofable. The TCP keepalive option enabled by | ||
355 | TCPKeepAlive is spoofable. The server alive mechanism is valu- | ||
356 | able when the client or server depend on knowing when a connec- | ||
357 | tion has become inactive. | ||
358 | |||
359 | The default value is 3. If, for example, ServerAliveInterval | ||
360 | (above) is set to 15, and ServerAliveCountMax is left at the de- | ||
361 | fault, if the server becomes unresponsive ssh will disconnect af- | ||
362 | ter approximately 45 seconds. | ||
363 | |||
339 | SmartcardDevice | 364 | SmartcardDevice |
340 | Specifies which smartcard device to use. The argument to this | 365 | Specifies which smartcard device to use. The argument to this |
341 | keyword is the device ssh should use to communicate with a smart- | 366 | keyword is the device ssh should use to communicate with a smart- |
@@ -359,6 +384,20 @@ DESCRIPTION | |||
359 | The argument must be ``yes'', ``no'' or ``ask''. The default is | 384 | The argument must be ``yes'', ``no'' or ``ask''. The default is |
360 | ``ask''. | 385 | ``ask''. |
361 | 386 | ||
387 | TCPKeepAlive | ||
388 | Specifies whether the system should send TCP keepalive messages | ||
389 | to the other side. If they are sent, death of the connection or | ||
390 | crash of one of the machines will be properly noticed. However, | ||
391 | this means that connections will die if the route is down tem- | ||
392 | porarily, and some people find it annoying. | ||
393 | |||
394 | The default is ``yes'' (to send TCP keepalive messages), and the | ||
395 | client will notice if the network goes down or the remote host | ||
396 | dies. This is important in scripts, and many users want it too. | ||
397 | |||
398 | To disable TCP keepalive messages, the value should be set to | ||
399 | ``no''. | ||
400 | |||
362 | UsePrivilegedPort | 401 | UsePrivilegedPort |
363 | Specifies whether to use a privileged port for outgoing connec- | 402 | Specifies whether to use a privileged port for outgoing connec- |
364 | tions. The argument must be ``yes'' or ``no''. The default is | 403 | tions. The argument must be ``yes'' or ``no''. The default is |
@@ -377,8 +416,15 @@ DESCRIPTION | |||
377 | 416 | ||
378 | VerifyHostKeyDNS | 417 | VerifyHostKeyDNS |
379 | Specifies whether to verify the remote key using DNS and SSHFP | 418 | Specifies whether to verify the remote key using DNS and SSHFP |
380 | resource records. The default is ``no''. Note that this option | 419 | resource records. If this option is set to ``yes'', the client |
381 | applies to protocol version 2 only. | 420 | will implicitly trust keys that match a secure fingerprint from |
421 | DNS. Insecure fingerprints will be handled as if this option was | ||
422 | set to ``ask''. If this option is set to ``ask'', information on | ||
423 | fingerprint match will be displayed, but the user will still need | ||
424 | to confirm new host keys according to the StrictHostKeyChecking | ||
425 | option. The argument must be ``yes'', ``no'' or ``ask''. The | ||
426 | default is ``no''. Note that this option applies to protocol | ||
427 | version 2 only. | ||
382 | 428 | ||
383 | XAuthLocation | 429 | XAuthLocation |
384 | Specifies the full pathname of the xauth(1) program. The default | 430 | Specifies the full pathname of the xauth(1) program. The default |