diff options
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 70 |
1 files changed, 65 insertions, 5 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index 95af3976a..585a36878 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -127,8 +127,14 @@ Valid arguments are | |||
127 | If set to | 127 | If set to |
128 | .Dq yes , | 128 | .Dq yes , |
129 | passphrase/password querying will be disabled. | 129 | passphrase/password querying will be disabled. |
130 | In addition, the | ||
131 | .Cm ServerAliveInterval | ||
132 | and | ||
133 | .Cm SetupTimeOut | ||
134 | options will both be set to 300 seconds by default. | ||
130 | This option is useful in scripts and other batch jobs where no user | 135 | This option is useful in scripts and other batch jobs where no user |
131 | is present to supply the password. | 136 | is present to supply the password, |
137 | and where it is desirable to detect a broken network swiftly. | ||
132 | The argument must be | 138 | The argument must be |
133 | .Dq yes | 139 | .Dq yes |
134 | or | 140 | or |
@@ -447,7 +453,8 @@ token used for the session will be set to expire after 20 minutes. | |||
447 | Remote clients will be refused access after this time. | 453 | Remote clients will be refused access after this time. |
448 | .Pp | 454 | .Pp |
449 | The default is | 455 | The default is |
450 | .Dq no . | 456 | .Dq yes |
457 | (Debian-specific). | ||
451 | .Pp | 458 | .Pp |
452 | See the X11 SECURITY extension specification for full details on | 459 | See the X11 SECURITY extension specification for full details on |
453 | the restrictions imposed on untrusted clients. | 460 | the restrictions imposed on untrusted clients. |
@@ -477,11 +484,28 @@ Specifies whether user authentication based on GSSAPI is allowed. | |||
477 | The default is | 484 | The default is |
478 | .Dq no . | 485 | .Dq no . |
479 | Note that this option applies to protocol version 2 only. | 486 | Note that this option applies to protocol version 2 only. |
487 | .It Cm GSSAPIKeyExchange | ||
488 | Specifies whether key exchange based on GSSAPI may be used. When using | ||
489 | GSSAPI key exchange the server need not have a host key. | ||
490 | The default is | ||
491 | .Dq no . | ||
492 | Note that this option applies to protocol version 2 only. | ||
480 | .It Cm GSSAPIDelegateCredentials | 493 | .It Cm GSSAPIDelegateCredentials |
481 | Forward (delegate) credentials to the server. | 494 | Forward (delegate) credentials to the server. |
482 | The default is | 495 | The default is |
483 | .Dq no . | 496 | .Dq no . |
484 | Note that this option applies to protocol version 2 only. | 497 | Note that this option applies to protocol version 2 only. |
498 | .It Cm GSSAPITrustDns | ||
499 | Set to | ||
500 | .Dq yes | ||
501 | to indicate that the DNS is trusted to securely canonicalize | ||
502 | the name of the host being connected to. If | ||
503 | .Dq no , | ||
504 | the hostname entered on the | ||
505 | command line will be passed untouched to the GSSAPI library. | ||
506 | The default is | ||
507 | .Dq no . | ||
508 | This option only applies to protocol version 2 connections using GSSAPI. | ||
485 | .It Cm HashKnownHosts | 509 | .It Cm HashKnownHosts |
486 | Indicates that | 510 | Indicates that |
487 | .Xr ssh 1 | 511 | .Xr ssh 1 |
@@ -499,6 +523,9 @@ Note that existing names and addresses in known hosts files | |||
499 | will not be converted automatically, | 523 | will not be converted automatically, |
500 | but may be manually hashed using | 524 | but may be manually hashed using |
501 | .Xr ssh-keygen 1 . | 525 | .Xr ssh-keygen 1 . |
526 | Use of this option may break facilities such as tab-completion that rely | ||
527 | on being able to read unhashed host names from | ||
528 | .Pa ~/.ssh/known_hosts . | ||
502 | .It Cm HostbasedAuthentication | 529 | .It Cm HostbasedAuthentication |
503 | Specifies whether to try rhosts based authentication with public key | 530 | Specifies whether to try rhosts based authentication with public key |
504 | authentication. | 531 | authentication. |
@@ -630,7 +657,7 @@ indicates that the port should be available from all interfaces. | |||
630 | Gives the verbosity level that is used when logging messages from | 657 | Gives the verbosity level that is used when logging messages from |
631 | .Xr ssh 1 . | 658 | .Xr ssh 1 . |
632 | The possible values are: | 659 | The possible values are: |
633 | QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. | 660 | SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. |
634 | The default is INFO. | 661 | The default is INFO. |
635 | DEBUG and DEBUG1 are equivalent. | 662 | DEBUG and DEBUG1 are equivalent. |
636 | DEBUG2 and DEBUG3 each specify higher levels of verbose output. | 663 | DEBUG2 and DEBUG3 each specify higher levels of verbose output. |
@@ -876,7 +903,10 @@ If, for example, | |||
876 | .Cm ServerAliveCountMax | 903 | .Cm ServerAliveCountMax |
877 | is left at the default, if the server becomes unresponsive, | 904 | is left at the default, if the server becomes unresponsive, |
878 | ssh will disconnect after approximately 45 seconds. | 905 | ssh will disconnect after approximately 45 seconds. |
879 | This option applies to protocol version 2 only. | 906 | This option applies to protocol version 2 only; in protocol version |
907 | 1 there is no mechanism to request a response from the server to the | ||
908 | server alive messages, so disconnection is the responsibility of the TCP | ||
909 | stack. | ||
880 | .It Cm ServerAliveInterval | 910 | .It Cm ServerAliveInterval |
881 | Sets a timeout interval in seconds after which if no data has been received | 911 | Sets a timeout interval in seconds after which if no data has been received |
882 | from the server, | 912 | from the server, |
@@ -884,8 +914,30 @@ from the server, | |||
884 | will send a message through the encrypted | 914 | will send a message through the encrypted |
885 | channel to request a response from the server. | 915 | channel to request a response from the server. |
886 | The default | 916 | The default |
887 | is 0, indicating that these messages will not be sent to the server. | 917 | is 0, indicating that these messages will not be sent to the server, |
918 | or 300 if the | ||
919 | .Cm BatchMode | ||
920 | option is set. | ||
888 | This option applies to protocol version 2 only. | 921 | This option applies to protocol version 2 only. |
922 | .Cm ProtocolKeepAlives | ||
923 | is a Debian-specific compatibility alias for this option. | ||
924 | .It Cm SetupTimeOut | ||
925 | Normally, | ||
926 | .Nm ssh | ||
927 | blocks indefinitely whilst waiting to receive the ssh banner and other | ||
928 | setup protocol from the server, during the session setup. | ||
929 | This can cause | ||
930 | .Nm ssh | ||
931 | to hang under certain circumstances. | ||
932 | If this option is set, | ||
933 | .Nm ssh | ||
934 | will give up if no data from the server is received for the specified | ||
935 | number of seconds. | ||
936 | The argument must be an integer. | ||
937 | The default is 0 (disabled), or 300 if | ||
938 | .Cm BatchMode | ||
939 | is set. | ||
940 | This is a Debian-specific option. | ||
889 | .It Cm SmartcardDevice | 941 | .It Cm SmartcardDevice |
890 | Specifies which smartcard device to use. | 942 | Specifies which smartcard device to use. |
891 | The argument to this keyword is the device | 943 | The argument to this keyword is the device |
@@ -931,6 +983,12 @@ Specifies whether the system should send TCP keepalive messages to the | |||
931 | other side. | 983 | other side. |
932 | If they are sent, death of the connection or crash of one | 984 | If they are sent, death of the connection or crash of one |
933 | of the machines will be properly noticed. | 985 | of the machines will be properly noticed. |
986 | This option only uses TCP keepalives (as opposed to using ssh level | ||
987 | keepalives), so takes a long time to notice when the connection dies. | ||
988 | As such, you probably want | ||
989 | the | ||
990 | .Cm ServerAliveInterval | ||
991 | option as well. | ||
934 | However, this means that | 992 | However, this means that |
935 | connections will die if the route is down temporarily, and some people | 993 | connections will die if the route is down temporarily, and some people |
936 | find it annoying. | 994 | find it annoying. |
@@ -1086,6 +1144,8 @@ The format of this file is described above. | |||
1086 | This file is used by the SSH client. | 1144 | This file is used by the SSH client. |
1087 | Because of the potential for abuse, this file must have strict permissions: | 1145 | Because of the potential for abuse, this file must have strict permissions: |
1088 | read/write for the user, and not accessible by others. | 1146 | read/write for the user, and not accessible by others. |
1147 | It may be group-writable provided that the group in question contains only | ||
1148 | the user. | ||
1089 | .It Pa /etc/ssh/ssh_config | 1149 | .It Pa /etc/ssh/ssh_config |
1090 | Systemwide configuration file. | 1150 | Systemwide configuration file. |
1091 | This file provides defaults for those | 1151 | This file provides defaults for those |