From d984a3c6658e950881edcfb2aae464add93f68d4 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 1 Sep 2003 00:45:47 +0000 Subject: Import OpenSSH 3.4p1. --- ssh_config.0 | 386 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 386 insertions(+) create mode 100644 ssh_config.0 (limited to 'ssh_config.0') diff --git a/ssh_config.0 b/ssh_config.0 new file mode 100644 index 000000000..9822ce8d2 --- /dev/null +++ b/ssh_config.0 @@ -0,0 +1,386 @@ +SSH_CONFIG(5) System File Formats Manual SSH_CONFIG(5) + +NAME + ssh_config - OpenSSH SSH client configuration files + +SYNOPSIS + $HOME/.ssh/config + /etc/ssh/ssh_config + +DESCRIPTION + ssh obtains configuration data from the following sources in the followM-- + ing order: command line options, user's configuration file + ($HOME/.ssh/config), and system-wide configuration file + (/etc/ssh/ssh_config). + + For each parameter, the first obtained value will be used. The configuM-- + ration files contain sections bracketed by ``Host'' specifications, and + that section is only applied for hosts that match one of the patterns + given in the specification. The matched host name is the one given on + the command line. + + Since the first obtained value for each parameter is used, more host-speM-- + cific declarations should be given near the beginning of the file, and + general defaults at the end. + + The configuration file has the following format: + + Empty lines and lines starting with `#' are comments. + + Otherwise a line is of the format ``keyword arguments''. Configuration + options may be separated by whitespace or optional whitespace and exactly + one `='; the latter format is useful to avoid the need to quote whitesM-- + pace when specifying configuration options using the ssh, scp and sftp -o + option. + + The possible keywords and their meanings are as follows (note that keyM-- + words are case-insensitive and arguments are case-sensitive): + + Host Restricts the following declarations (up to the next Host keyM-- + word) to be only for those hosts that match one of the patterns + given after the keyword. `*' and `'? can be used as wildcards + in the patterns. A single `*' as a pattern can be used to proM-- + vide global defaults for all hosts. The host is the hostname + argument given on the command line (i.e., the name is not conM-- + verted to a canonicalized host name before matching). + + AFSTokenPassing + Specifies whether to pass AFS tokens to remote host. The arguM-- + ment to this keyword must be ``yes'' or ``no''. This option + applies to protocol version 1 only. + + BatchMode + If set to ``yes'', passphrase/password querying will be disabled. + This option is useful in scripts and other batch jobs where no + user is present to supply the password. The argument must be + ``yes'' or ``no''. The default is ``no''. + + BindAddress + Specify the interface to transmit from on machines with multiple + interfaces or aliased addresses. Note that this option does not + work if UsePrivilegedPort is set to ``yes''. + + ChallengeResponseAuthentication + Specifies whether to use challenge response authentication. The + argument to this keyword must be ``yes'' or ``no''. The default + is ``yes''. + + CheckHostIP + If this flag is set to ``yes'', ssh will additionally check the + host IP address in the known_hosts file. This allows ssh to + detect if a host key changed due to DNS spoofing. If the option + is set to ``no'', the check will not be executed. The default is + ``yes''. + + Cipher Specifies the cipher to use for encrypting the session in protoM-- + col version 1. Currently, ``blowfish'', ``3des'', and ``des'' + are supported. des is only supported in the ssh client for + interoperability with legacy protocol 1 implementations that do + not support the 3des cipher. Its use is strongly discouraged due + to cryptographic weaknesses. The default is ``3des''. + + Ciphers + Specifies the ciphers allowed for protocol version 2 in order of + preference. Multiple ciphers must be comma-separated. The + default is + + ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, + aes192-cbc,aes256-cbc'' + + ClearAllForwardings + Specifies that all local, remote and dynamic port forwardings + specified in the configuration files or on the command line be + cleared. This option is primarily useful when used from the ssh + command line to clear port forwardings set in configuration + files, and is automatically set by scp(1) and sftp(1). The arguM-- + ment must be ``yes'' or ``no''. The default is ``no''. + + Compression + Specifies whether to use compression. The argument must be + ``yes'' or ``no''. The default is ``no''. + + CompressionLevel + Specifies the compression level to use if compression is enabled. + The argument must be an integer from 1 (fast) to 9 (slow, best). + The default level is 6, which is good for most applications. The + meaning of the values is the same as in gzip(1). Note that this + option applies to protocol version 1 only. + + ConnectionAttempts + Specifies the number of tries (one per second) to make before + exiting. The argument must be an integer. This may be useful in + scripts if the connection sometimes fails. The default is 1. + + DynamicForward + Specifies that a TCP/IP port on the local machine be forwarded + over the secure channel, and the application protocol is then + used to determine where to connect to from the remote machine. + The argument must be a port number. Currently the SOCKS4 protoM-- + col is supported, and ssh will act as a SOCKS4 server. Multiple + forwardings may be specified, and additional forwardings can be + given on the command line. Only the superuser can forward priviM-- + leged ports. + + EscapeChar + Sets the escape character (default: `~'). The escape character + can also be set on the command line. The argument should be a + single character, `^' followed by a letter, or ``none'' to disM-- + able the escape character entirely (making the connection transM-- + parent for binary data). + + ForwardAgent + Specifies whether the connection to the authentication agent (if + any) will be forwarded to the remote machine. The argument must + be ``yes'' or ``no''. The default is ``no''. + + ForwardX11 + Specifies whether X11 connections will be automatically rediM-- + rected over the secure channel and DISPLAY set. The argument + must be ``yes'' or ``no''. The default is ``no''. + + GatewayPorts + Specifies whether remote hosts are allowed to connect to local + forwarded ports. By default, ssh binds local port forwardings to + the loopback address. This prevents other remote hosts from conM-- + necting to forwarded ports. GatewayPorts can be used to specify + that ssh should bind local port forwardings to the wildcard + address, thus allowing remote hosts to connect to forwarded + ports. The argument must be ``yes'' or ``no''. The default is + ``no''. + + GlobalKnownHostsFile + Specifies a file to use for the global host key database instead + of /etc/ssh/ssh_known_hosts. + + HostbasedAuthentication + Specifies whether to try rhosts based authentication with public + key authentication. The argument must be ``yes'' or ``no''. The + default is ``no''. This option applies to protocol version 2 + only and is similar to RhostsRSAAuthentication. + + HostKeyAlgorithms + Specifies the protocol version 2 host key algorithms that the + client wants to use in order of preference. The default for this + option is: ``ssh-rsa,ssh-dss''. + + HostKeyAlias + Specifies an alias that should be used instead of the real host + name when looking up or saving the host key in the host key + database files. This option is useful for tunneling ssh connecM-- + tions or for multiple servers running on a single host. + + HostName + Specifies the real host name to log into. This can be used to + specify nicknames or abbreviations for hosts. Default is the + name given on the command line. Numeric IP addresses are also + permitted (both on the command line and in HostName specificaM-- + tions). + + IdentityFile + Specifies a file from which the user's RSA or DSA authentication + identity is read. The default is $HOME/.ssh/identity for protocol + version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for protoM-- + col version 2. Additionally, any identities represented by the + authentication agent will be used for authentication. The file + name may use the tilde syntax to refer to a user's home direcM-- + tory. It is possible to have multiple identity files specified + in configuration files; all these identities will be tried in + sequence. + + KeepAlive + Specifies whether the system should send TCP keepalive messages + to the other side. If they are sent, death of the connection or + crash of one of the machines will be properly noticed. However, + this means that connections will die if the route is down temM-- + porarily, and some people find it annoying. + + The default is ``yes'' (to send keepalives), and the client will + notice if the network goes down or the remote host dies. This is + important in scripts, and many users want it too. + + To disable keepalives, the value should be set to ``no''. + + KerberosAuthentication + Specifies whether Kerberos authentication will be used. The + argument to this keyword must be ``yes'' or ``no''. + + KerberosTgtPassing + Specifies whether a Kerberos TGT will be forwarded to the server. + This will only work if the Kerberos server is actually an AFS + kaserver. The argument to this keyword must be ``yes'' or + ``no''. + + LocalForward + Specifies that a TCP/IP port on the local machine be forwarded + over the secure channel to the specified host and port from the + remote machine. The first argument must be a port number, and + the second must be host:port. IPv6 addresses can be specified + with an alternative syntax: host/port. Multiple forwardings may + be specified, and additional forwardings can be given on the comM-- + mand line. Only the superuser can forward privileged ports. + + LogLevel + Gives the verbosity level that is used when logging messages from + ssh. The possible values are: QUIET, FATAL, ERROR, INFO, VERM-- + BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. + DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify + higher levels of verbose output. + + MACs Specifies the MAC (message authentication code) algorithms in + order of preference. The MAC algorithm is used in protocol verM-- + sion 2 for data integrity protection. Multiple algorithms must + be comma-separated. The default is + ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''. + + NoHostAuthenticationForLocalhost + This option can be used if the home directory is shared across + machines. In this case localhost will refer to a different + machine on each of the machines and the user will get many warnM-- + ings about changed host keys. However, this option disables host + authentication for localhost. The argument to this keyword must + be ``yes'' or ``no''. The default is to check the host key for + localhost. + + NumberOfPasswordPrompts + Specifies the number of password prompts before giving up. The + argument to this keyword must be an integer. Default is 3. + + PasswordAuthentication + Specifies whether to use password authentication. The argument + to this keyword must be ``yes'' or ``no''. The default is + ``yes''. + + Port Specifies the port number to connect on the remote host. Default + is 22. + + PreferredAuthentications + Specifies the order in which the client should try protocol 2 + authentication methods. This allows a client to prefer one method + (e.g. keyboard-interactive) over another method (e.g. password) + The default for this option is: + ``hostbased,publickey,keyboard-interactive,password''. + + Protocol + Specifies the protocol versions ssh should support in order of + preference. The possible values are ``1'' and ``2''. Multiple + versions must be comma-separated. The default is ``2,1''. This + means that ssh tries version 2 and falls back to version 1 if + version 2 is not available. + + ProxyCommand + Specifies the command to use to connect to the server. The comM-- + mand string extends to the end of the line, and is executed with + /bin/sh. In the command string, `%h' will be substituted by the + host name to connect and `%p' by the port. The command can be + basically anything, and should read from its standard input and + write to its standard output. It should eventually connect an + sshd(8) server running on some machine, or execute sshd -i someM-- + where. Host key management will be done using the HostName of + the host being connected (defaulting to the name typed by the + user). Note that CheckHostIP is not available for connects with + a proxy command. + + PubkeyAuthentication + Specifies whether to try public key authentication. The argument + to this keyword must be ``yes'' or ``no''. The default is + ``yes''. This option applies to protocol version 2 only. + + RemoteForward + Specifies that a TCP/IP port on the remote machine be forwarded + over the secure channel to the specified host and port from the + local machine. The first argument must be a port number, and the + second must be host:port. IPv6 addresses can be specified with + an alternative syntax: host/port. Multiple forwardings may be + specified, and additional forwardings can be given on the command + line. Only the superuser can forward privileged ports. + + RhostsAuthentication + Specifies whether to try rhosts based authentication. Note that + this declaration only affects the client side and has no effect + whatsoever on security. Most servers do not permit RhostsAuthenM-- + tication because it is not secure (see RhostsRSAAuthentication). + The argument to this keyword must be ``yes'' or ``no''. The + default is ``no''. This option applies to protocol version 1 + only. + + RhostsRSAAuthentication + Specifies whether to try rhosts based authentication with RSA + host authentication. The argument must be ``yes'' or ``no''. + The default is ``no''. This option applies to protocol version 1 + only and requires ssh to be setuid root. + + RSAAuthentication + Specifies whether to try RSA authentication. The argument to + this keyword must be ``yes'' or ``no''. RSA authentication will + only be attempted if the identity file exists, or an authenticaM-- + tion agent is running. The default is ``yes''. Note that this + option applies to protocol version 1 only. + + SmartcardDevice + Specifies which smartcard device to use. The argument to this + keyword is the device ssh should use to communicate with a smartM-- + card used for storing the user's private RSA key. By default, no + device is specified and smartcard support is not activated. + + StrictHostKeyChecking + If this flag is set to ``yes'', ssh will never automatically add + host keys to the $HOME/.ssh/known_hosts file, and refuses to conM-- + nect to hosts whose host key has changed. This provides maximum + protection against trojan horse attacks, however, can be annoying + when the /etc/ssh/ssh_known_hosts file is poorly maintained, or + connections to new hosts are frequently made. This option forces + the user to manually add all new hosts. If this flag is set to + ``no'', ssh will automatically add new host keys to the user + known hosts files. If this flag is set to ``ask'', new host keys + will be added to the user known host files only after the user + has confirmed that is what they really want to do, and ssh will + refuse to connect to hosts whose host key has changed. The host + keys of known hosts will be verified automatically in all cases. + The argument must be ``yes'', ``no'' or ``ask''. The default is + ``ask''. + + UsePrivilegedPort + Specifies whether to use a privileged port for outgoing connecM-- + tions. The argument must be ``yes'' or ``no''. The default is + ``no''. Note that this option must be set to ``yes'' if + RhostsAuthentication and RhostsRSAAuthentication authentications + are needed with older servers. + + User Specifies the user to log in as. This can be useful when a difM-- + ferent user name is used on different machines. This saves the + trouble of having to remember to give the user name on the comM-- + mand line. + + UserKnownHostsFile + Specifies a file to use for the user host key database instead of + $HOME/.ssh/known_hosts. + + XAuthLocation + Specifies the location of the xauth(1) program. The default is + /usr/X11R6/bin/xauth. + +FILES + $HOME/.ssh/config + This is the per-user configuration file. The format of this file + is described above. This file is used by the ssh client. This + file does not usually contain any sensitive information, but the + recommended permissions are read/write for the user, and not + accessible by others. + + /etc/ssh/ssh_config + Systemwide configuration file. This file provides defaults for + those values that are not specified in the user's configuration + file, and for those users who do not have a configuration file. + This file must be world-readable. + +AUTHORS + OpenSSH is a derivative of the original and free ssh 1.2.12 release by + Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo + de Raadt and Dug Song removed many bugs, re-added newer features and creM-- + ated OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +SEE ALSO + ssh(1) + +BSD September 25, 1999 BSD -- cgit v1.2.3