diff options
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 69 |
1 files changed, 64 insertions, 5 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index 024491b90..76e451079 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -72,6 +72,22 @@ Since the first obtained value for each parameter is used, more | |||
72 | host-specific declarations should be given near the beginning of the | 72 | host-specific declarations should be given near the beginning of the |
73 | file, and general defaults at the end. | 73 | file, and general defaults at the end. |
74 | .Pp | 74 | .Pp |
75 | Note that the Debian | ||
76 | .Ic openssh-client | ||
77 | package sets several options as standard in | ||
78 | .Pa /etc/ssh/ssh_config | ||
79 | which are not the default in | ||
80 | .Xr ssh 1 : | ||
81 | .Pp | ||
82 | .Bl -bullet -offset indent -compact | ||
83 | .It | ||
84 | .Cm SendEnv No LANG LC_* | ||
85 | .It | ||
86 | .Cm HashKnownHosts No yes | ||
87 | .It | ||
88 | .Cm GSSAPIAuthentication No yes | ||
89 | .El | ||
90 | .Pp | ||
75 | The configuration file has the following format: | 91 | The configuration file has the following format: |
76 | .Pp | 92 | .Pp |
77 | Empty lines and lines starting with | 93 | Empty lines and lines starting with |
@@ -128,8 +144,12 @@ Valid arguments are | |||
128 | If set to | 144 | If set to |
129 | .Dq yes , | 145 | .Dq yes , |
130 | passphrase/password querying will be disabled. | 146 | passphrase/password querying will be disabled. |
147 | In addition, the | ||
148 | .Cm ServerAliveInterval | ||
149 | option will be set to 300 seconds by default. | ||
131 | This option is useful in scripts and other batch jobs where no user | 150 | This option is useful in scripts and other batch jobs where no user |
132 | is present to supply the password. | 151 | is present to supply the password, |
152 | and where it is desirable to detect a broken network swiftly. | ||
133 | The argument must be | 153 | The argument must be |
134 | .Dq yes | 154 | .Dq yes |
135 | or | 155 | or |
@@ -448,7 +468,8 @@ token used for the session will be set to expire after 20 minutes. | |||
448 | Remote clients will be refused access after this time. | 468 | Remote clients will be refused access after this time. |
449 | .Pp | 469 | .Pp |
450 | The default is | 470 | The default is |
451 | .Dq no . | 471 | .Dq yes |
472 | (Debian-specific). | ||
452 | .Pp | 473 | .Pp |
453 | See the X11 SECURITY extension specification for full details on | 474 | See the X11 SECURITY extension specification for full details on |
454 | the restrictions imposed on untrusted clients. | 475 | the restrictions imposed on untrusted clients. |
@@ -527,6 +548,9 @@ Note that existing names and addresses in known hosts files | |||
527 | will not be converted automatically, | 548 | will not be converted automatically, |
528 | but may be manually hashed using | 549 | but may be manually hashed using |
529 | .Xr ssh-keygen 1 . | 550 | .Xr ssh-keygen 1 . |
551 | Use of this option may break facilities such as tab-completion that rely | ||
552 | on being able to read unhashed host names from | ||
553 | .Pa ~/.ssh/known_hosts . | ||
530 | .It Cm HostbasedAuthentication | 554 | .It Cm HostbasedAuthentication |
531 | Specifies whether to try rhosts based authentication with public key | 555 | Specifies whether to try rhosts based authentication with public key |
532 | authentication. | 556 | authentication. |
@@ -681,7 +705,7 @@ indicates that the port should be available from all interfaces. | |||
681 | Gives the verbosity level that is used when logging messages from | 705 | Gives the verbosity level that is used when logging messages from |
682 | .Xr ssh 1 . | 706 | .Xr ssh 1 . |
683 | The possible values are: | 707 | The possible values are: |
684 | QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. | 708 | SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. |
685 | The default is INFO. | 709 | The default is INFO. |
686 | DEBUG and DEBUG1 are equivalent. | 710 | DEBUG and DEBUG1 are equivalent. |
687 | DEBUG2 and DEBUG3 each specify higher levels of verbose output. | 711 | DEBUG2 and DEBUG3 each specify higher levels of verbose output. |
@@ -935,7 +959,10 @@ If, for example, | |||
935 | .Cm ServerAliveCountMax | 959 | .Cm ServerAliveCountMax |
936 | is left at the default, if the server becomes unresponsive, | 960 | is left at the default, if the server becomes unresponsive, |
937 | ssh will disconnect after approximately 45 seconds. | 961 | ssh will disconnect after approximately 45 seconds. |
938 | This option applies to protocol version 2 only. | 962 | This option applies to protocol version 2 only; in protocol version |
963 | 1 there is no mechanism to request a response from the server to the | ||
964 | server alive messages, so disconnection is the responsibility of the TCP | ||
965 | stack. | ||
939 | .It Cm ServerAliveInterval | 966 | .It Cm ServerAliveInterval |
940 | Sets a timeout interval in seconds after which if no data has been received | 967 | Sets a timeout interval in seconds after which if no data has been received |
941 | from the server, | 968 | from the server, |
@@ -943,8 +970,15 @@ from the server, | |||
943 | will send a message through the encrypted | 970 | will send a message through the encrypted |
944 | channel to request a response from the server. | 971 | channel to request a response from the server. |
945 | The default | 972 | The default |
946 | is 0, indicating that these messages will not be sent to the server. | 973 | is 0, indicating that these messages will not be sent to the server, |
974 | or 300 if the | ||
975 | .Cm BatchMode | ||
976 | option is set. | ||
947 | This option applies to protocol version 2 only. | 977 | This option applies to protocol version 2 only. |
978 | .Cm ProtocolKeepAlives | ||
979 | and | ||
980 | .Cm SetupTimeOut | ||
981 | are Debian-specific compatibility aliases for this option. | ||
948 | .It Cm SmartcardDevice | 982 | .It Cm SmartcardDevice |
949 | Specifies which smartcard device to use. | 983 | Specifies which smartcard device to use. |
950 | The argument to this keyword is the device | 984 | The argument to this keyword is the device |
@@ -990,6 +1024,12 @@ Specifies whether the system should send TCP keepalive messages to the | |||
990 | other side. | 1024 | other side. |
991 | If they are sent, death of the connection or crash of one | 1025 | If they are sent, death of the connection or crash of one |
992 | of the machines will be properly noticed. | 1026 | of the machines will be properly noticed. |
1027 | This option only uses TCP keepalives (as opposed to using ssh level | ||
1028 | keepalives), so takes a long time to notice when the connection dies. | ||
1029 | As such, you probably want | ||
1030 | the | ||
1031 | .Cm ServerAliveInterval | ||
1032 | option as well. | ||
993 | However, this means that | 1033 | However, this means that |
994 | connections will die if the route is down temporarily, and some people | 1034 | connections will die if the route is down temporarily, and some people |
995 | find it annoying. | 1035 | find it annoying. |
@@ -1041,6 +1081,23 @@ is not specified, it defaults to | |||
1041 | .Dq any . | 1081 | .Dq any . |
1042 | The default is | 1082 | The default is |
1043 | .Dq any:any . | 1083 | .Dq any:any . |
1084 | .It Cm UseBlacklistedKeys | ||
1085 | Specifies whether | ||
1086 | .Xr ssh 1 | ||
1087 | should use keys recorded in its blacklist of known-compromised keys (see | ||
1088 | .Xr ssh-vulnkey 1 ) | ||
1089 | for authentication. | ||
1090 | If | ||
1091 | .Dq yes , | ||
1092 | then attempts to use compromised keys for authentication will be logged but | ||
1093 | accepted. | ||
1094 | It is strongly recommended that this be used only to install new authorized | ||
1095 | keys on the remote system, and even then only with the utmost care. | ||
1096 | If | ||
1097 | .Dq no , | ||
1098 | then attempts to use compromised keys for authentication will be prevented. | ||
1099 | The default is | ||
1100 | .Dq no . | ||
1044 | .It Cm UsePrivilegedPort | 1101 | .It Cm UsePrivilegedPort |
1045 | Specifies whether to use a privileged port for outgoing connections. | 1102 | Specifies whether to use a privileged port for outgoing connections. |
1046 | The argument must be | 1103 | The argument must be |
@@ -1157,6 +1214,8 @@ The format of this file is described above. | |||
1157 | This file is used by the SSH client. | 1214 | This file is used by the SSH client. |
1158 | Because of the potential for abuse, this file must have strict permissions: | 1215 | Because of the potential for abuse, this file must have strict permissions: |
1159 | read/write for the user, and not accessible by others. | 1216 | read/write for the user, and not accessible by others. |
1217 | It may be group-writable provided that the group in question contains only | ||
1218 | the user. | ||
1160 | .It Pa /etc/ssh/ssh_config | 1219 | .It Pa /etc/ssh/ssh_config |
1161 | Systemwide configuration file. | 1220 | Systemwide configuration file. |
1162 | This file provides defaults for those | 1221 | This file provides defaults for those |