diff options
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 67 |
1 files changed, 63 insertions, 4 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index bd3a7127a..fa852acb1 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more | |||
71 | host-specific declarations should be given near the beginning of the | 71 | host-specific declarations should be given near the beginning of the |
72 | file, and general defaults at the end. | 72 | file, and general defaults at the end. |
73 | .Pp | 73 | .Pp |
74 | Note that the Debian | ||
75 | .Ic openssh-client | ||
76 | package sets several options as standard in | ||
77 | .Pa /etc/ssh/ssh_config | ||
78 | which are not the default in | ||
79 | .Xr ssh 1 : | ||
80 | .Pp | ||
81 | .Bl -bullet -offset indent -compact | ||
82 | .It | ||
83 | .Cm SendEnv No LANG LC_* | ||
84 | .It | ||
85 | .Cm HashKnownHosts No yes | ||
86 | .It | ||
87 | .Cm GSSAPIAuthentication No yes | ||
88 | .El | ||
89 | .Pp | ||
74 | The configuration file has the following format: | 90 | The configuration file has the following format: |
75 | .Pp | 91 | .Pp |
76 | Empty lines and lines starting with | 92 | Empty lines and lines starting with |
@@ -136,8 +152,12 @@ Valid arguments are | |||
136 | If set to | 152 | If set to |
137 | .Dq yes , | 153 | .Dq yes , |
138 | passphrase/password querying will be disabled. | 154 | passphrase/password querying will be disabled. |
155 | In addition, the | ||
156 | .Cm ServerAliveInterval | ||
157 | option will be set to 300 seconds by default. | ||
139 | This option is useful in scripts and other batch jobs where no user | 158 | This option is useful in scripts and other batch jobs where no user |
140 | is present to supply the password. | 159 | is present to supply the password, |
160 | and where it is desirable to detect a broken network swiftly. | ||
141 | The argument must be | 161 | The argument must be |
142 | .Dq yes | 162 | .Dq yes |
143 | or | 163 | or |
@@ -498,7 +518,8 @@ token used for the session will be set to expire after 20 minutes. | |||
498 | Remote clients will be refused access after this time. | 518 | Remote clients will be refused access after this time. |
499 | .Pp | 519 | .Pp |
500 | The default is | 520 | The default is |
501 | .Dq no . | 521 | .Dq yes |
522 | (Debian-specific). | ||
502 | .Pp | 523 | .Pp |
503 | See the X11 SECURITY extension specification for full details on | 524 | See the X11 SECURITY extension specification for full details on |
504 | the restrictions imposed on untrusted clients. | 525 | the restrictions imposed on untrusted clients. |
@@ -584,6 +605,9 @@ Note that existing names and addresses in known hosts files | |||
584 | will not be converted automatically, | 605 | will not be converted automatically, |
585 | but may be manually hashed using | 606 | but may be manually hashed using |
586 | .Xr ssh-keygen 1 . | 607 | .Xr ssh-keygen 1 . |
608 | Use of this option may break facilities such as tab-completion that rely | ||
609 | on being able to read unhashed host names from | ||
610 | .Pa ~/.ssh/known_hosts . | ||
587 | .It Cm HostbasedAuthentication | 611 | .It Cm HostbasedAuthentication |
588 | Specifies whether to try rhosts based authentication with public key | 612 | Specifies whether to try rhosts based authentication with public key |
589 | authentication. | 613 | authentication. |
@@ -1102,7 +1126,10 @@ If, for example, | |||
1102 | .Cm ServerAliveCountMax | 1126 | .Cm ServerAliveCountMax |
1103 | is left at the default, if the server becomes unresponsive, | 1127 | is left at the default, if the server becomes unresponsive, |
1104 | ssh will disconnect after approximately 45 seconds. | 1128 | ssh will disconnect after approximately 45 seconds. |
1105 | This option applies to protocol version 2 only. | 1129 | This option applies to protocol version 2 only; in protocol version |
1130 | 1 there is no mechanism to request a response from the server to the | ||
1131 | server alive messages, so disconnection is the responsibility of the TCP | ||
1132 | stack. | ||
1106 | .It Cm ServerAliveInterval | 1133 | .It Cm ServerAliveInterval |
1107 | Sets a timeout interval in seconds after which if no data has been received | 1134 | Sets a timeout interval in seconds after which if no data has been received |
1108 | from the server, | 1135 | from the server, |
@@ -1110,8 +1137,15 @@ from the server, | |||
1110 | will send a message through the encrypted | 1137 | will send a message through the encrypted |
1111 | channel to request a response from the server. | 1138 | channel to request a response from the server. |
1112 | The default | 1139 | The default |
1113 | is 0, indicating that these messages will not be sent to the server. | 1140 | is 0, indicating that these messages will not be sent to the server, |
1141 | or 300 if the | ||
1142 | .Cm BatchMode | ||
1143 | option is set. | ||
1114 | This option applies to protocol version 2 only. | 1144 | This option applies to protocol version 2 only. |
1145 | .Cm ProtocolKeepAlives | ||
1146 | and | ||
1147 | .Cm SetupTimeOut | ||
1148 | are Debian-specific compatibility aliases for this option. | ||
1115 | .It Cm StrictHostKeyChecking | 1149 | .It Cm StrictHostKeyChecking |
1116 | If this flag is set to | 1150 | If this flag is set to |
1117 | .Dq yes , | 1151 | .Dq yes , |
@@ -1150,6 +1184,12 @@ Specifies whether the system should send TCP keepalive messages to the | |||
1150 | other side. | 1184 | other side. |
1151 | If they are sent, death of the connection or crash of one | 1185 | If they are sent, death of the connection or crash of one |
1152 | of the machines will be properly noticed. | 1186 | of the machines will be properly noticed. |
1187 | This option only uses TCP keepalives (as opposed to using ssh level | ||
1188 | keepalives), so takes a long time to notice when the connection dies. | ||
1189 | As such, you probably want | ||
1190 | the | ||
1191 | .Cm ServerAliveInterval | ||
1192 | option as well. | ||
1153 | However, this means that | 1193 | However, this means that |
1154 | connections will die if the route is down temporarily, and some people | 1194 | connections will die if the route is down temporarily, and some people |
1155 | find it annoying. | 1195 | find it annoying. |
@@ -1201,6 +1241,23 @@ is not specified, it defaults to | |||
1201 | .Dq any . | 1241 | .Dq any . |
1202 | The default is | 1242 | The default is |
1203 | .Dq any:any . | 1243 | .Dq any:any . |
1244 | .It Cm UseBlacklistedKeys | ||
1245 | Specifies whether | ||
1246 | .Xr ssh 1 | ||
1247 | should use keys recorded in its blacklist of known-compromised keys (see | ||
1248 | .Xr ssh-vulnkey 1 ) | ||
1249 | for authentication. | ||
1250 | If | ||
1251 | .Dq yes , | ||
1252 | then attempts to use compromised keys for authentication will be logged but | ||
1253 | accepted. | ||
1254 | It is strongly recommended that this be used only to install new authorized | ||
1255 | keys on the remote system, and even then only with the utmost care. | ||
1256 | If | ||
1257 | .Dq no , | ||
1258 | then attempts to use compromised keys for authentication will be prevented. | ||
1259 | The default is | ||
1260 | .Dq no . | ||
1204 | .It Cm UsePrivilegedPort | 1261 | .It Cm UsePrivilegedPort |
1205 | Specifies whether to use a privileged port for outgoing connections. | 1262 | Specifies whether to use a privileged port for outgoing connections. |
1206 | The argument must be | 1263 | The argument must be |
@@ -1319,6 +1376,8 @@ The format of this file is described above. | |||
1319 | This file is used by the SSH client. | 1376 | This file is used by the SSH client. |
1320 | Because of the potential for abuse, this file must have strict permissions: | 1377 | Because of the potential for abuse, this file must have strict permissions: |
1321 | read/write for the user, and not accessible by others. | 1378 | read/write for the user, and not accessible by others. |
1379 | It may be group-writable provided that the group in question contains only | ||
1380 | the user. | ||
1322 | .It Pa /etc/ssh/ssh_config | 1381 | .It Pa /etc/ssh/ssh_config |
1323 | Systemwide configuration file. | 1382 | Systemwide configuration file. |
1324 | This file provides defaults for those | 1383 | This file provides defaults for those |