Home Man
Search
Today's Posts
Register

Linux & Unix Commands - Search Man Pages

OpenSolaris 2009.06 - man page for ssh_config (opensolaris section 4)

ssh_config(4)				   File Formats 			    ssh_config(4)

NAME
       ssh_config - ssh configuration file

SYNOPSIS
       /etc/ssh/ssh_config

       $HOME/.ssh/config

DESCRIPTION
       The first ssh_config path, above, provides the system-wide defaults for ssh(1). The second
       version is user-specific defaults for ssh.

       ssh obtains configuration data from the following sources, in  this  order:  command  line
       options, user's configuration file ($HOME/.ssh/config), and system-wide configuration file
       (/etc/ssh/ssh_config). For each parameter, the first obtained value is used. The  configu-
       ration  files  contain  sections  bracketed  by	Host  specifications, and that section is
       applied only for hosts that match one of the patterns  given  in  the  specification.  The
       matched host name is the one given on the command line.

       Since  the  first  obtained  value  for each parameter is used, host-specific declarations
       should be given near the beginning of the file, and general defaults at the end.

       The configuration file has the following format and syntax:

	   o	  Empty lines and lines starting with # are comments.

	   o	  Non-commented lines are of the form:

		    keyword arguments

	   o	  Configuration options can be separated by white space  or  optional  whitespace
		  and  exactly	one equal sign. The latter format allows you to avoid the need to
		  quote white space when specifying configuration options using the -o option  to
		  ssh, scp, and sftp.

       The  possible  keywords	and  their meanings are listed in the following list.Keywords are
       case-insensitive and arguments are case-sensitive.

       BatchMode

	   The argument must be yes or no. If set to yes, passphrase/password  querying  is  dis-
	   abled. This option is useful in scripts and other batch jobs where you have no user to
	   supply the password.

       BindAddress

	   Specify the interface to transmit from on machines with multiple interfaces or aliased
	   addresses. This option does not work if UsePrivilegedPort is set to yes.

       CheckHostIP

	   If  this  flag  is  set  to	yes,  ssh  additionally checks the host IP address in the
	   known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing.
	   If the option is set to no, the check is not executed.

       Cipher

	   Specifies  the  cipher to use for encrypting the session in protocol version 1. Only a
	   single cipher can be specified. Currently, blowfish, 3des, and des are supported. 3des
	   (triple-des)  is  an  encrypt-decrypt-encrypt  triple with three different keys. It is
	   believed to be secure. blowfish is a fast block cipher. It appears very secure and  is
	   much  faster  than  3des. des is only supported in the ssh client for interoperability
	   with legacy protocol 1 implementations that do not support the 3des cipher. Its use is
	   strongly discouraged due to cryptographic weaknesses. The default is 3des.

       Ciphers

	   Specifies  the ciphers allowed for protocol version 2 in order of preference. Multiple
	   ciphers must be comma separated.

	   The default cipher list contains all supported ciphers in this order:

	     aes128-ctr, aes192-ctr, aes256-ctr, arcfour128, arcfour256, arcfour, aes128-cbc,
	     aes192-cbc, aes256-cbc, arcfour, 3des-cbc,blowfish-cbc

	   While CBC modes are not considered as secure as other modes in connection with the SSH
	   protocol 2 they are present at the back of the default client cipher list for backward
	   compatibility with SSH servers that do not support other cipher modes.

       ClearAllForwardings

	   Specifies that all local, remote, and dynamic port forwardings specified in	the  con-
	   figuration  files  or  on the command line be cleared. This option is primarily useful
	   when used from the ssh command line to clear port  forwardings  set	in  configuration
	   files  and is automatically set by scp(1) and sftp(1). The argument must be yes or no.
	   The default is no.

       Compression

	   Specifies whether to use compression. The argument must be yes or no. Defaults to no.

       CompressionLevel

	   Specifies the compression level to use if compression is enabled. The argument must be
	   an  integer from 1 (fast) to 9 (slow, best). The default level is 6, which is good for
	   most applications. This option applies to protocol version 1 only.

       ConnectionAttempts

	   Specifies the number of tries (one per second) to make before falling back to  rsh  or
	   exiting. The argument must be an integer. This can be useful in scripts if the connec-
	   tion sometimes fails. The default is 1.

       ConnectTimeout

	   Specifies the timeout (in seconds) used when connecting to the ssh server, instead  of
	   using  the default system TCP timeout. This value is used only when the target is down
	   or truly unreachable, not when it refuses the connection.

       DisableBanner

	   If set to yes, disables the display of the banner message.  If  set	to  in-exec-mode,
	   disables the display of banner message when in remote command mode only.

	   The default value is no, which means that the banner is displayed unless the log level
	   is QUIET, FATAL, or ERROR. See also the Banner option in sshd_config(4).  This  option
	   applies to protocol version 2 only.

       DynamicForward

	   Specifies  that  a TCP/IP port on the local machine be forwarded over the secure chan-
	   nel. The application protocol is then used to determine where to connect to	from  the
	   remote machine.

	   The argument must be [bind_address:]port. IPv6 addresses can be specified by enclosing
	   addresses in square brackets or by using an alternative  syntax:  [bind_address/]port.
	   By  default, the local port is bound in accordance with the GatewayPorts setting. How-
	   ever, an explicit bind_address can be used  to  bind  the  connection  to  a  specific
	   address.  The bind_address of localhost indicates that the listening port be bound for
	   local use only, while an empty address or * indicates that the port should  be  avail-
	   able from all interfaces.

	   Currently  the  SOCKS4  and	SOCKS5	protocols  are supported, and ssh acts as a SOCKS
	   server. Multiple forwardings can be specified and additional forwardings can be speci-
	   fied  on  the  command line. Only a user with enough privileges can forward privileged
	   ports.

       EscapeChar

	   Sets the escape character. The default is tilde (~). The escape character can also  be
	   set	on  the command line. The argument should be a single character, ^, followed by a
	   letter, or none to disable the escape character entirely (making the connection trans-
	   parent for binary data).

       FallBackToRsh

	   Specifies  that  if connecting with ssh fails due to a connection refused error (there
	   is no sshd(1M) listening on the remote host),  rsh(1)  should  automatically  be  used
	   instead  (after  a suitable warning about the session being unencrypted). The argument
	   must be yes or no.

       ForwardAgent

	   Specifies whether the connection to the authentication agent (if any) is forwarded  to
	   the remote machine. The argument must be yes or no. The default is no.

	   Agent forwarding should be enabled with caution. Users with the ability to bypass file
	   permissions on the remote host (for the agent's Unix-domain	socket)  can  access  the
	   local  agent  through the forwarded connection. An attacker cannot obtain key material
	   from the agent, however he can perform operations on  the  keys  that  enable  him  to
	   authenticate using the identities loaded into the agent.

       ForwardX11

	   Specifies whether X11 connections are automatically redirected over the secure channel
	   and DISPLAY set. The argument must be yes or no. The default is no.

	   X11 forwarding should be enabled with caution. Users with the ability to  bypass  file
	   permissions	on  the  remote host (for the user's X authorization database) can access
	   the local X11 display through the forwarded connection. An attacker might then be able
	   to  perform	activities such as keystroke monitoring. See the ForwardX11Trusted option
	   for more information how to prevent this.

       ForwardX11Trusted

	   If this option is set to yes, remote X11 clients have full access to the original  X11
	   display. This option is set to yes by default.

	   If this option is set to no, remote X11 clients are considered untrusted and prevented
	   from stealing or tampering with data belonging to trusted  X11  clients.  Furthermore,
	   the	xauth(1)  token  used  for  the session is set to expire after 20 minutes. Remote
	   clients are refused access after this time.

	   See the X11 SECURITY extension specification for  full  details  on	the  restrictions
	   imposed on untrusted clients.

       GatewayPorts

	   Specifies  whether  remote  hosts  are allowed to connect to local forwarded ports. By
	   default, ssh binds local port forwardings to the loopback address. This prevents other
	   remote  hosts  from connecting to forwarded ports. GatewayPorts can be used to specify
	   that ssh should bind local port forwardings to the  wildcard  address,  thus  allowing
	   remote  hosts  to  connect  to  forwarded  ports.  The argument must be yes or no. The
	   default is no.

       GlobalKnownHostsFile

	   Specifies a file to use instead of /etc/ssh/ssh_known_hosts.

       GSSAPIAuthentication

	   Enables/disables GSS-API user authentication. The default is yes.

       GSSAPIDelegateCredentials

	   Enables/disables GSS-API credential forwarding. The default is no.

       GSSAPIKeyExchange

	   Enables/disables GSS-API-authenticated key exchanges. The default is yes.

	   This option is intended primarily to allow users to disable the  use  of  GSS-API  key
	   exchange  for  SSHv2  when it would otherwise be selected and then fail (due to server
	   misconfiguration, for example). SSHv2 key exchange failure always results  in  discon-
	   nection.

	   This option also enables the use of the GSS-API to authenticate the user to the server
	   after the key exchange. GSS-API key exchange can succeed but the subsequent	authenti-
	   cation  using the GSS-API fail if the server does not authorize the user's GSS princi-
	   pal name to the target user account.

       HashKnownHosts

	   Indicates that ssh(1), should hash host names and addresses when  they  are	added  to
	   ~/.ssh/known_hosts.	These  hashed  names can be used normally by ssh(1) and sshd(1M),
	   but they do not reveal identifying information should  the  file's  contents  be  dis-
	   closed.  The  default is no. Existing names and addresses in known hosts files are not
	   be converted automatically, but can be manually hashed using ssh-keygen(1).

       Host

	   Restricts the following declarations (up to the next Host  keyword)	to  be	only  for
	   those  hosts  that  match one of the patterns given after the keyword. An asterisk (*)
	   and a question mark (?) can be used as wildcards in the patterns. A single asterisk as
	   a  pattern  can be used to provide global defaults for all hosts. The host is the host
	   name argument given on the command line (that is, the  name	is  not  converted  to	a
	   canonicalized host name before matching).

       HostbasedAuthentication

	   Specifies  whether  to try rhosts-based authentication with public key authentication.
	   The argument must be yes or no. The default is no. This  option  applies  to  protocol
	   version 2 only and is similar to RhostsRSAAuthentication.

       HostKeyAlgorithms

	   Specifies  the  protocol version 2 host key algorithms that the client wants to use in
	   order of preference. The default for this option is: ssh-rsa,ssh-dss.

       HostKeyAlias

	   Specifies an alias that should be used instead of the real host name when  looking  up
	   or  saving the host key in the host key database files. This option is useful for tun-
	   neling ssh connections or for multiple servers running on a single host.

       HostName

	   Specifies the real host name to log into. This can be used  to  specify  nicknames  or
	   abbreviations  for  hosts.  Default	is the name given on the command line. Numeric IP
	   addresses are also permitted (both on the command  line  and  in  HostName  specifica-
	   tions).

       IdentityFile

	   Specifies a file from which the user's RSA or DSA authentication identity is read. The
	   default is $HOME/.ssh/identity  for	protocol  version  1  and  $HOME/.ssh/id_rsa  and
	   $HOME/.ssh/id_dsa  for protocol version 2. Additionally, any identities represented by
	   the authentication agent is used for authentication. The file name can use  the  tilde
	   syntax  to  refer to a user's home directory. It is possible to have multiple identity
	   files specified in configuration files; all these identities is tried in sequence.

       IgnoreIfUnknown

	   Specifies a comma-separated list  of  ssh_config  parameters,  which,  if  unknown  to
	   ssh(1), are to be ignored by ssh.

	   This  parameter  is	primarily  intended  to  be  used  in  the  per-user  ssh_config,
	   ~/.ssh/config.  While  this	parameter  can	also  be  used	 in   the   system   wide
	   /etc/ssh/ssh_config	file,  it  is generally useless as the capabilities of the ssh(1)
	   client on that host should match that file.

       KeepAlive

	   Specifies whether the system should send TCP keepalive messages to the other side.  If
	   they  are  sent,  death  of the connection or crash of one of the machines is properly
	   noticed. However, this means that connections die if the route  is  down  temporarily,
	   which can be a source of annoyance.

	   The default is yes (to send keepalives), which means the client notices if the network
	   goes down or the remote host dies. This is important in scripts, and many  users  want
	   it  too.  To  disable keepalives, the value should be set to no in both the server and
	   the client configuration files.

       LocalForward

	   Specifies that a TCP/IP port on the local machine be forwarded over the secure channel
	   to	a   given  host:port  from  the  remote  machine.  The	first  argument  must  be
	   [bind_address:]port and the second must be host:port. IPv6 addresses can be	specified
	   by  enclosing  addresses  in  square  brackets  or  by  using  an  alternative syntax:
	   [bind_address/]port and host/port. Multiple forwardings can	be  specified  and  addi-
	   tional  forwardings	can  be given on the command line. Only a user with enough privi-
	   leges can forward privileged ports. By default, the local port is bound in  accordance
	   with  the  GatewayPorts setting. However, an explicit bind_address can be used to bind
	   the connection to a specific address. The bind_address of localhost indicates that the
	   listening port be bound for local use only, while an empty address or * indicates that
	   the port should be available from all interfaces.

       LogLevel

	   Gives the verbosity level that is used when logging messages from  ssh.  The  possible
	   values are: FATAL, ERROR, QUIET, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The
	   default is INFO. DEBUG and DEBUG1 are  equivalent.  DEBUG2  and  DEBUG3  each  specify
	   higher levels of verbose output.

       MACs

	   Specifies the MAC (message authentication code) algorithms in order of preference. The
	   MAC algorithm is used in protocol version 2 for data  integrity  protection.  Multiple
	   algorithms	must   be   comma-separated.   The  default  is  hmac-md5,hmac-sha1,hmac-
	   sha1-96,hmac-md5-96.

       NoHostAuthenticationForLocalhost

	   This option can be used if the home directory is shared across machines. In this  case
	   localhost refers to a different machine on each of the machines and the user gets many
	   warnings about changed host keys. However, this option  disables  host  authentication
	   for localhost. The argument to this keyword must be yes or no. The default is to check
	   the host key for localhost.

       NumberOfPasswordPrompts

	   Specifies the number of attempts before giving up for password  and	keyboard-interac-
	   tive  methods.  Attempts  for each method are counted separately. The argument to this
	   keyword must be an integer. The default is 3.

       PasswordAuthentication

	   Specifies whether to use password authentication. The argument to this keyword must be
	   yes or no. This option applies to both protocol versions 1 and 2. The default is yes.

       Port

	   Specifies the port number to connect on the remote host. The default is 22.

       PreferredAuthentications

	   Specifies  the order in which the client should try protocol 2 authentication methods.
	   This allows a client to prefer one method  (for  example,  keyboard-interactive)  over
	   another method (for example, password). The default for this option is: hostbased,pub-
	   lickey,keyboard-interactive,password.

       Protocol

	   Specifies the protocol versions ssh should support in order of preference. The  possi-
	   ble values are 1 and 2. Multiple versions must be comma-separated. The default is 2,1.
	   This means that ssh tries version 2 and falls back to version 1 if version  2  is  not
	   available.

       ProxyCommand

	   Specifies  the  command to use to connect to the server. The command string extends to
	   the end of the line, and is executed with /bin/sh. In the command string, %h  is  sub-
	   stituted  by  the host name to connect and %p by the port. The string can be any valid
	   command, and should read from its standard input and write to its standard output.  It
	   should  eventually connect an sshd(1M) server running on some machine, or execute sshd
	   -i somewhere. Host key management is done using the HostName of the	host  being  con-
	   nected  (defaulting	to  the name typed by the user). CheckHostIP is not available for
	   connects with a proxy command.

       PubkeyAuthentication

	   Specifies whether to try public key authentication. The argument to this keyword  must
	   be yes or no. The default is yes. This option applies to protocol version 2 only.

       RekeyLimit

	   Specifies the maximum amount of data that can be transmitted before the session key is
	   renegotiated. The argument is the number of bytes, with an optional suffix of K, M, or
	   G to indicate Kilobytes, Megabytes, or Gigabytes, respectively. The default is between
	   1G and 4G, depending on the cipher. This option applies to protocol version 2 only.

       RemoteForward

	   Specifies that a TCP/IP port on the remote machine be forwarded over the secure  chan-
	   nel	to  a  given  host:port  from  the  local  machine.  The  first  argument must be
	   [bind_address:]port and the second argument must be host:port. IPv6 addresses  can  be
	   specified by enclosing addresses in square brackets or by using an alternative syntax:
	   [bind_address/]port and host/port. You can specify multiple forwardings and give addi-
	   tional forwardings on the command line. Only a user with enough privileges can forward
	   privileged ports.

	   If the bind_address is not  specified,  the	default  is  to  only  bind  to  loopback
	   addresses.  If  the	bind_address  is  *  or  an  empty string, then the forwarding is
	   requested to listen on all interfaces. Specifying a remote bind_address only  succeeds
	   if the server's GatewayPorts option is enabled. See sshd_config(4).

       RhostsAuthentication

	   Specifies  whether  to  try rhosts-based authentication. This declaration affects only
	   the client side and has no effect whatsoever on security. Disabling rhosts authentica-
	   tion  can reduce authentication time on slow connections when rhosts authentication is
	   not used. Most servers do not permit RhostsAuthentication because  it  is  not  secure
	   (see  RhostsRSAAuthentication).  The  argument to this keyword must be yes or no. This
	   option applies only to the protocol version 1 and requires that ssh be setuid root and
	   that UsePrivilegedPort be set to yes.

       RhostsRSAAuthentication

	   Specifies  whether  to  try	rhosts-based authentication with RSA host authentication.
	   This is the primary authentication method for most sites. The argument must be yes  or
	   no. This option applies only to the protocol version 1 and requires that ssh be setuid
	   root and that UsePrivilegedPort be set to yes.

       ServerAliveCountMax

	   Sets the number of server alive messages which can be sent  without	ssh(1)	receiving
	   messages  back  from  the server. If this threshold is reached while server alive mes-
	   sages are being sent, ssh disconnects from the server, terminating  the  session.  The
	   use of server alive messages differs from TCPKeepAlive. Server alive messages are sent
	   through the encrypted channel and are not spoofable. The TCP keep alive option enabled
	   by  TCPKeepAlive  is spoofable. The server alive mechanism is valuable when the client
	   or server depend on knowing when a connection has become inactive.

	   The default value is 3. If, for example, ServerAliveInterval is set to 15 and  Server-
	   AliveCountMax  is  left at the default, ssh disconnects in 45-60 seconds if the server
	   becomes unresponsive. This option applies to protocol version 2 only.

       ServerAliveInterval

	   Sets a timeout interval in seconds after which if no data has been received	from  the
	   server,  ssh(1)  sends  a  message through the encrypted channel to request a response
	   from the server. The default is 0, indicating that these messages are not sent to  the
	   server. This option applies to protocol version 2 only.

       StrictHostKeyChecking

	   If  this  flag  is  set  to	yes,  ssh  never  automatically  adds  host  keys  to the
	   $HOME/.ssh/known_hosts file, and refuses to connect hosts whose host key has  changed.
	   This  provides  maximum  protection against trojan horse attacks. However, it can be a
	   source of inconvenience  if	you  do  not  have  good  /etc/ssh/ssh_known_hosts  files
	   installed  and  frequently  connect new hosts. This option forces the user to manually
	   add any new hosts. Normally this option is disabled, and new hosts  are  automatically
	   added to the known host files. The host keys of known hosts are verified automatically
	   in either case. The argument must be yes or no or ask. The default is ask.

       UseOpenSSLEngine

	   Specifies whether ssh should use the OpenSSL PKCS#11 engine for  off  loading  crypto-
	   graphic operations to the Cryptographic Framework. Cryptographic operations are accel-
	   erated according to the available installed plug-ins. When no  suitable  plug-ins  are
	   present this option does not have an effect. The default is yes.

       UsePrivilegedPort

	   Specifies whether to use a privileged port for outgoing connections. The argument must
	   be yes or no. The default is yes. Setting this option to no turns off  RhostsAuthenti-
	   cation and RhostsRSAAuthentication. If set to yes ssh must be setuid root. Defaults to
	   no.

       User

	   Specifies the user to log in as. This can be useful if you have different  user  names
	   on  different  machines. This saves you the trouble of having to remember to enter the
	   user name on the command line.

       UserKnownHostsFile

	   Specifies a file to use instead of $HOME/.ssh/known_hosts.

       UseRsh

	   Specifies that rlogin or rsh should be used for this host. It  is  possible	that  the
	   host does not support the ssh protocol. This causes ssh to immediately execute rsh(1).
	   All other options (except HostName) are ignored if this has been specified. The  argu-
	   ment must be yes or no.

       XAuthLocation

	   Specifies the location of the xauth(1) program. The default is /usr/openwin/bin/xauth.

SEE ALSO
       rsh(1),	ssh(1),  ssh-http-proxy-connect(1),  ssh-keygen(1),  ssh-socks5-proxy-connect(1),
       sshd(1M), sshd_config(4), kerberos(5)

       RFC 4252

SunOS 5.11				   17 Feb 2009				    ssh_config(4)


All times are GMT -4. The time now is 12:34 PM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
UNIX.COM Login
Username:
Password:  
Show Password