summaryrefslogtreecommitdiff
path: root/ssh_config.5
diff options
context:
space:
mode:
Diffstat (limited to 'ssh_config.5')
-rw-r--r--ssh_config.569
1 files changed, 64 insertions, 5 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 024491b90..76e451079 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -72,6 +72,22 @@ Since the first obtained value for each parameter is used, more
72host-specific declarations should be given near the beginning of the 72host-specific declarations should be given near the beginning of the
73file, and general defaults at the end. 73file, and general defaults at the end.
74.Pp 74.Pp
75Note that the Debian
76.Ic openssh-client
77package sets several options as standard in
78.Pa /etc/ssh/ssh_config
79which are not the default in
80.Xr ssh 1 :
81.Pp
82.Bl -bullet -offset indent -compact
83.It
84.Cm SendEnv No LANG LC_*
85.It
86.Cm HashKnownHosts No yes
87.It
88.Cm GSSAPIAuthentication No yes
89.El
90.Pp
75The configuration file has the following format: 91The configuration file has the following format:
76.Pp 92.Pp
77Empty lines and lines starting with 93Empty lines and lines starting with
@@ -128,8 +144,12 @@ Valid arguments are
128If set to 144If set to
129.Dq yes , 145.Dq yes ,
130passphrase/password querying will be disabled. 146passphrase/password querying will be disabled.
147In addition, the
148.Cm ServerAliveInterval
149option will be set to 300 seconds by default.
131This option is useful in scripts and other batch jobs where no user 150This option is useful in scripts and other batch jobs where no user
132is present to supply the password. 151is present to supply the password,
152and where it is desirable to detect a broken network swiftly.
133The argument must be 153The argument must be
134.Dq yes 154.Dq yes
135or 155or
@@ -448,7 +468,8 @@ token used for the session will be set to expire after 20 minutes.
448Remote clients will be refused access after this time. 468Remote clients will be refused access after this time.
449.Pp 469.Pp
450The default is 470The default is
451.Dq no . 471.Dq yes
472(Debian-specific).
452.Pp 473.Pp
453See the X11 SECURITY extension specification for full details on 474See the X11 SECURITY extension specification for full details on
454the restrictions imposed on untrusted clients. 475the restrictions imposed on untrusted clients.
@@ -527,6 +548,9 @@ Note that existing names and addresses in known hosts files
527will not be converted automatically, 548will not be converted automatically,
528but may be manually hashed using 549but may be manually hashed using
529.Xr ssh-keygen 1 . 550.Xr ssh-keygen 1 .
551Use of this option may break facilities such as tab-completion that rely
552on being able to read unhashed host names from
553.Pa ~/.ssh/known_hosts .
530.It Cm HostbasedAuthentication 554.It Cm HostbasedAuthentication
531Specifies whether to try rhosts based authentication with public key 555Specifies whether to try rhosts based authentication with public key
532authentication. 556authentication.
@@ -681,7 +705,7 @@ indicates that the port should be available from all interfaces.
681Gives the verbosity level that is used when logging messages from 705Gives the verbosity level that is used when logging messages from
682.Xr ssh 1 . 706.Xr ssh 1 .
683The possible values are: 707The possible values are:
684QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. 708SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
685The default is INFO. 709The default is INFO.
686DEBUG and DEBUG1 are equivalent. 710DEBUG and DEBUG1 are equivalent.
687DEBUG2 and DEBUG3 each specify higher levels of verbose output. 711DEBUG2 and DEBUG3 each specify higher levels of verbose output.
@@ -935,7 +959,10 @@ If, for example,
935.Cm ServerAliveCountMax 959.Cm ServerAliveCountMax
936is left at the default, if the server becomes unresponsive, 960is left at the default, if the server becomes unresponsive,
937ssh will disconnect after approximately 45 seconds. 961ssh will disconnect after approximately 45 seconds.
938This option applies to protocol version 2 only. 962This option applies to protocol version 2 only; in protocol version
9631 there is no mechanism to request a response from the server to the
964server alive messages, so disconnection is the responsibility of the TCP
965stack.
939.It Cm ServerAliveInterval 966.It Cm ServerAliveInterval
940Sets a timeout interval in seconds after which if no data has been received 967Sets a timeout interval in seconds after which if no data has been received
941from the server, 968from the server,
@@ -943,8 +970,15 @@ from the server,
943will send a message through the encrypted 970will send a message through the encrypted
944channel to request a response from the server. 971channel to request a response from the server.
945The default 972The default
946is 0, indicating that these messages will not be sent to the server. 973is 0, indicating that these messages will not be sent to the server,
974or 300 if the
975.Cm BatchMode
976option is set.
947This option applies to protocol version 2 only. 977This option applies to protocol version 2 only.
978.Cm ProtocolKeepAlives
979and
980.Cm SetupTimeOut
981are Debian-specific compatibility aliases for this option.
948.It Cm SmartcardDevice 982.It Cm SmartcardDevice
949Specifies which smartcard device to use. 983Specifies which smartcard device to use.
950The argument to this keyword is the device 984The argument to this keyword is the device
@@ -990,6 +1024,12 @@ Specifies whether the system should send TCP keepalive messages to the
990other side. 1024other side.
991If they are sent, death of the connection or crash of one 1025If they are sent, death of the connection or crash of one
992of the machines will be properly noticed. 1026of the machines will be properly noticed.
1027This option only uses TCP keepalives (as opposed to using ssh level
1028keepalives), so takes a long time to notice when the connection dies.
1029As such, you probably want
1030the
1031.Cm ServerAliveInterval
1032option as well.
993However, this means that 1033However, this means that
994connections will die if the route is down temporarily, and some people 1034connections will die if the route is down temporarily, and some people
995find it annoying. 1035find it annoying.
@@ -1041,6 +1081,23 @@ is not specified, it defaults to
1041.Dq any . 1081.Dq any .
1042The default is 1082The default is
1043.Dq any:any . 1083.Dq any:any .
1084.It Cm UseBlacklistedKeys
1085Specifies whether
1086.Xr ssh 1
1087should use keys recorded in its blacklist of known-compromised keys (see
1088.Xr ssh-vulnkey 1 )
1089for authentication.
1090If
1091.Dq yes ,
1092then attempts to use compromised keys for authentication will be logged but
1093accepted.
1094It is strongly recommended that this be used only to install new authorized
1095keys on the remote system, and even then only with the utmost care.
1096If
1097.Dq no ,
1098then attempts to use compromised keys for authentication will be prevented.
1099The default is
1100.Dq no .
1044.It Cm UsePrivilegedPort 1101.It Cm UsePrivilegedPort
1045Specifies whether to use a privileged port for outgoing connections. 1102Specifies whether to use a privileged port for outgoing connections.
1046The argument must be 1103The argument must be
@@ -1157,6 +1214,8 @@ The format of this file is described above.
1157This file is used by the SSH client. 1214This file is used by the SSH client.
1158Because of the potential for abuse, this file must have strict permissions: 1215Because of the potential for abuse, this file must have strict permissions:
1159read/write for the user, and not accessible by others. 1216read/write for the user, and not accessible by others.
1217It may be group-writable provided that the group in question contains only
1218the user.
1160.It Pa /etc/ssh/ssh_config 1219.It Pa /etc/ssh/ssh_config
1161Systemwide configuration file. 1220Systemwide configuration file.
1162This file provides defaults for those 1221This file provides defaults for those