diff options
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 144 |
1 files changed, 104 insertions, 40 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index 2ca7ce02f..25485f3da 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh_config.5,v 1.20 2003/09/02 18:50:06 jmc Exp $ | 37 | .\" $OpenBSD: ssh_config.5,v 1.28 2003/12/16 15:49:51 markus Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH_CONFIG 5 | 39 | .Dt SSH_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -128,7 +128,7 @@ If set to | |||
128 | .Dq yes , | 128 | .Dq yes , |
129 | passphrase/password querying will be disabled. | 129 | passphrase/password querying will be disabled. |
130 | In addition, the | 130 | In addition, the |
131 | .Cm ProtocolKeepAlives | 131 | .Cm ServerAliveInterval |
132 | and | 132 | and |
133 | .Cm SetupTimeOut | 133 | .Cm SetupTimeOut |
134 | options will both be set to 300 seconds by default. | 134 | options will both be set to 300 seconds by default. |
@@ -193,7 +193,6 @@ Specifies the ciphers allowed for protocol version 2 | |||
193 | in order of preference. | 193 | in order of preference. |
194 | Multiple ciphers must be comma-separated. | 194 | Multiple ciphers must be comma-separated. |
195 | The default is | 195 | The default is |
196 | .Pp | ||
197 | .Bd -literal | 196 | .Bd -literal |
198 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, | 197 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
199 | aes192-cbc,aes256-cbc'' | 198 | aes192-cbc,aes256-cbc'' |
@@ -267,6 +266,7 @@ or | |||
267 | .Dq no . | 266 | .Dq no . |
268 | The default is | 267 | The default is |
269 | .Dq no . | 268 | .Dq no . |
269 | This option should be placed in the non-hostspecific section. | ||
270 | See | 270 | See |
271 | .Xr ssh-keysign 8 | 271 | .Xr ssh-keysign 8 |
272 | for more information. | 272 | for more information. |
@@ -313,9 +313,27 @@ The default is | |||
313 | .Pp | 313 | .Pp |
314 | X11 forwarding should be enabled with caution. | 314 | X11 forwarding should be enabled with caution. |
315 | Users with the ability to bypass file permissions on the remote host | 315 | Users with the ability to bypass file permissions on the remote host |
316 | (for the user's X authorization database) | 316 | (for the user's X11 authorization database) |
317 | can access the local X11 display through the forwarded connection. | 317 | can access the local X11 display through the forwarded connection. |
318 | An attacker may then be able to perform activities such as keystroke monitoring. | 318 | An attacker may then be able to perform activities such as keystroke monitoring |
319 | if the | ||
320 | .Cm ForwardX11Trusted | ||
321 | option is also enabled. | ||
322 | .It Cm ForwardX11Trusted | ||
323 | If the this option is set to | ||
324 | .Dq yes | ||
325 | then remote X11 clients will have full access to the original X11 display. | ||
326 | If this option is set to | ||
327 | .Dq no | ||
328 | then remote X11 clients will be considered untrusted and prevented | ||
329 | from stealing or tampering with data belonging to trusted X11 | ||
330 | clients. | ||
331 | .Pp | ||
332 | The default is | ||
333 | .Dq no . | ||
334 | .Pp | ||
335 | See the X11 SECURITY extension specification for full details on | ||
336 | the restrictions imposed on untrusted clients. | ||
319 | .It Cm GatewayPorts | 337 | .It Cm GatewayPorts |
320 | Specifies whether remote hosts are allowed to connect to local | 338 | Specifies whether remote hosts are allowed to connect to local |
321 | forwarded ports. | 339 | forwarded ports. |
@@ -339,11 +357,9 @@ Specifies a file to use for the global | |||
339 | host key database instead of | 357 | host key database instead of |
340 | .Pa /etc/ssh/ssh_known_hosts . | 358 | .Pa /etc/ssh/ssh_known_hosts . |
341 | .It Cm GSSAPIAuthentication | 359 | .It Cm GSSAPIAuthentication |
342 | Specifies whether authentication based on GSSAPI may be used, either using | 360 | Specifies whether user authentication based on GSSAPI is allowed. |
343 | the result of a successful key exchange, or using GSSAPI user | ||
344 | authentication. | ||
345 | The default is | 361 | The default is |
346 | .Dq yes . | 362 | .Dq no . |
347 | Note that this option applies to protocol version 2 only. | 363 | Note that this option applies to protocol version 2 only. |
348 | .It Cm GSSAPIDelegateCredentials | 364 | .It Cm GSSAPIDelegateCredentials |
349 | Forward (delegate) credentials to the server. | 365 | Forward (delegate) credentials to the server. |
@@ -397,29 +413,6 @@ syntax to refer to a user's home directory. | |||
397 | It is possible to have | 413 | It is possible to have |
398 | multiple identity files specified in configuration files; all these | 414 | multiple identity files specified in configuration files; all these |
399 | identities will be tried in sequence. | 415 | identities will be tried in sequence. |
400 | .It Cm KeepAlive | ||
401 | Specifies whether the system should send TCP keepalive messages to the | ||
402 | other side. | ||
403 | If they are sent, death of the connection or crash of one | ||
404 | of the machines will be properly noticed. | ||
405 | This option only uses TCP keepalives (as opposed to using ssh level | ||
406 | keepalives), so takes a long time to notice when the connection dies. | ||
407 | As such, you probably want | ||
408 | the | ||
409 | .Cm ProtocolKeepAlives | ||
410 | option as well. | ||
411 | However, this means that | ||
412 | connections will die if the route is down temporarily, and some people | ||
413 | find it annoying. | ||
414 | .Pp | ||
415 | The default is | ||
416 | .Dq yes | ||
417 | (to send keepalives), and the client will notice | ||
418 | if the network goes down or the remote host dies. | ||
419 | This is important in scripts, and many users want it too. | ||
420 | .Pp | ||
421 | To disable keepalives, the value should be set to | ||
422 | .Dq no . | ||
423 | .It Cm LocalForward | 416 | .It Cm LocalForward |
424 | Specifies that a TCP/IP port on the local machine be forwarded over | 417 | Specifies that a TCP/IP port on the local machine be forwarded over |
425 | the secure channel to the specified host and port from the remote machine. | 418 | the secure channel to the specified host and port from the remote machine. |
@@ -495,14 +488,6 @@ This means that | |||
495 | .Nm ssh | 488 | .Nm ssh |
496 | tries version 2 and falls back to version 1 | 489 | tries version 2 and falls back to version 1 |
497 | if version 2 is not available. | 490 | if version 2 is not available. |
498 | .It Cm ProtocolKeepAlives | ||
499 | Specifies the interval in seconds at which IGNORE packets will be sent to | ||
500 | the server during idle periods. | ||
501 | Use this option in scripts to detect when the network fails. | ||
502 | The argument must be an integer. | ||
503 | The default is 0 (disabled), or 300 if the | ||
504 | .Cm BatchMode | ||
505 | option is set. | ||
506 | .It Cm ProxyCommand | 491 | .It Cm ProxyCommand |
507 | Specifies the command to use to connect to the server. | 492 | Specifies the command to use to connect to the server. |
508 | The command | 493 | The command |
@@ -574,6 +559,45 @@ running. | |||
574 | The default is | 559 | The default is |
575 | .Dq yes . | 560 | .Dq yes . |
576 | Note that this option applies to protocol version 1 only. | 561 | Note that this option applies to protocol version 1 only. |
562 | .It Cm ServerAliveInterval | ||
563 | Sets a timeout interval in seconds after which if no data has been received | ||
564 | from the server, | ||
565 | .Nm ssh | ||
566 | will send a message through the encrypted | ||
567 | channel to request a response from the server. | ||
568 | The default | ||
569 | is 0, indicating that these messages will not be sent to the server, | ||
570 | or 300 if the | ||
571 | .Cm BatchMode | ||
572 | option is set. | ||
573 | This option applies to protocol version 2 only. | ||
574 | .It Cm ServerAliveCountMax | ||
575 | Sets the number of server alive messages (see above) which may be | ||
576 | sent without | ||
577 | .Nm ssh | ||
578 | receiving any messages back from the server. | ||
579 | If this threshold is reached while server alive messages are being sent, | ||
580 | .Nm ssh | ||
581 | will disconnect from the server, terminating the session. | ||
582 | It is important to note that the use of server alive messages is very | ||
583 | different from | ||
584 | .Cm TCPKeepAlive | ||
585 | (below). | ||
586 | The server alive messages are sent through the encrypted channel | ||
587 | and therefore will not be spoofable. | ||
588 | The TCP keepalive option enabled by | ||
589 | .Cm TCPKeepAlive | ||
590 | is spoofable. | ||
591 | The server alive mechanism is valuable when the client or | ||
592 | server depend on knowing when a connection has become inactive. | ||
593 | .Pp | ||
594 | The default value is 3. | ||
595 | If, for example, | ||
596 | .Cm ServerAliveInterval | ||
597 | (above) is set to 15, and | ||
598 | .Cm ServerAliveCountMax | ||
599 | is left at the default, if the server becomes unresponsive ssh | ||
600 | will disconnect after approximately 45 seconds. | ||
577 | .It Cm SetupTimeOut | 601 | .It Cm SetupTimeOut |
578 | Normally, | 602 | Normally, |
579 | .Nm ssh | 603 | .Nm ssh |
@@ -632,6 +656,29 @@ or | |||
632 | .Dq ask . | 656 | .Dq ask . |
633 | The default is | 657 | The default is |
634 | .Dq ask . | 658 | .Dq ask . |
659 | .It Cm TCPKeepAlive | ||
660 | Specifies whether the system should send TCP keepalive messages to the | ||
661 | other side. | ||
662 | If they are sent, death of the connection or crash of one | ||
663 | of the machines will be properly noticed. | ||
664 | This option only uses TCP keepalives (as opposed to using ssh level | ||
665 | keepalives), so takes a long time to notice when the connection dies. | ||
666 | As such, you probably want | ||
667 | the | ||
668 | .Cm ServerAliveInterval | ||
669 | option as well. | ||
670 | However, this means that | ||
671 | connections will die if the route is down temporarily, and some people | ||
672 | find it annoying. | ||
673 | .Pp | ||
674 | The default is | ||
675 | .Dq yes | ||
676 | (to send TCP keepalive messages), and the client will notice | ||
677 | if the network goes down or the remote host dies. | ||
678 | This is important in scripts, and many users want it too. | ||
679 | .Pp | ||
680 | To disable TCP keepalive messages, the value should be set to | ||
681 | .Dq no . | ||
635 | .It Cm UsePrivilegedPort | 682 | .It Cm UsePrivilegedPort |
636 | Specifies whether to use a privileged port for outgoing connections. | 683 | Specifies whether to use a privileged port for outgoing connections. |
637 | The argument must be | 684 | The argument must be |
@@ -661,6 +708,23 @@ host key database instead of | |||
661 | .It Cm VerifyHostKeyDNS | 708 | .It Cm VerifyHostKeyDNS |
662 | Specifies whether to verify the remote key using DNS and SSHFP resource | 709 | Specifies whether to verify the remote key using DNS and SSHFP resource |
663 | records. | 710 | records. |
711 | If this option is set to | ||
712 | .Dq yes , | ||
713 | the client will implicitly trust keys that match a secure fingerprint | ||
714 | from DNS. | ||
715 | Insecure fingerprints will be handled as if this option was set to | ||
716 | .Dq ask . | ||
717 | If this option is set to | ||
718 | .Dq ask , | ||
719 | information on fingerprint match will be displayed, but the user will still | ||
720 | need to confirm new host keys according to the | ||
721 | .Cm StrictHostKeyChecking | ||
722 | option. | ||
723 | The argument must be | ||
724 | .Dq yes , | ||
725 | .Dq no | ||
726 | or | ||
727 | .Dq ask . | ||
664 | The default is | 728 | The default is |
665 | .Dq no . | 729 | .Dq no . |
666 | Note that this option applies to protocol version 2 only. | 730 | Note that this option applies to protocol version 2 only. |