]>
Commit | Line | Data |
---|---|---|
9108f8d9 | 1 | SSH_CONFIG(5) OpenBSD Programmer's Manual SSH_CONFIG(5) |
2 | ||
3 | NAME | |
4 | ssh_config - OpenSSH SSH client configuration files | |
5 | ||
6 | SYNOPSIS | |
7 | ~/.ssh/config | |
8 | /etc/ssh/ssh_config | |
9 | ||
10 | DESCRIPTION | |
11 | ssh(1) obtains configuration data from the following sources in the fol- | |
12 | lowing order: | |
13 | ||
14 | 1. command-line options | |
15 | 2. user's configuration file (~/.ssh/config) | |
16 | 3. system-wide configuration file (/etc/ssh/ssh_config) | |
17 | ||
18 | For each parameter, the first obtained value will be used. The configu- | |
19 | ration files contain sections separated by ``Host'' specifications, and | |
20 | that section is only applied for hosts that match one of the patterns | |
21 | given in the specification. The matched host name is the one given on | |
22 | the command line. | |
23 | ||
24 | Since the first obtained value for each parameter is used, more host-spe- | |
25 | cific declarations should be given near the beginning of the file, and | |
26 | general defaults at the end. | |
27 | ||
28 | The configuration file has the following format: | |
29 | ||
30 | Empty lines and lines starting with `#' are comments. Otherwise a line | |
31 | is of the format ``keyword arguments''. Configuration options may be | |
32 | separated by whitespace or optional whitespace and exactly one `='; the | |
33 | latter format is useful to avoid the need to quote whitespace when speci- | |
34 | fying configuration options using the ssh, scp, and sftp -o option. Ar- | |
35 | guments may optionally be enclosed in double quotes (") in order to rep- | |
36 | resent arguments containing spaces. | |
37 | ||
38 | The possible keywords and their meanings are as follows (note that key- | |
39 | words are case-insensitive and arguments are case-sensitive): | |
40 | ||
41 | Host Restricts the following declarations (up to the next Host key- | |
42 | word) to be only for those hosts that match one of the patterns | |
43 | given after the keyword. A single `*' as a pattern can be used | |
44 | to provide global defaults for all hosts. The host is the | |
45 | hostname argument given on the command line (i.e. the name is not | |
46 | converted to a canonicalized host name before matching). | |
47 | ||
48 | See PATTERNS for more information on patterns. | |
49 | ||
50 | AddressFamily | |
51 | Specifies which address family to use when connecting. Valid ar- | |
52 | guments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' (use | |
53 | IPv6 only). | |
54 | ||
55 | BatchMode | |
56 | If set to ``yes'', passphrase/password querying will be disabled. | |
57 | This option is useful in scripts and other batch jobs where no | |
58 | user is present to supply the password. The argument must be | |
59 | ``yes'' or ``no''. The default is ``no''. | |
60 | ||
61 | BindAddress | |
62 | Use the specified address on the local machine as the source ad- | |
63 | dress of the connection. Only useful on systems with more than | |
64 | one address. Note that this option does not work if | |
65 | UsePrivilegedPort is set to ``yes''. | |
66 | ||
67 | ChallengeResponseAuthentication | |
68 | Specifies whether to use challenge-response authentication. The | |
69 | argument to this keyword must be ``yes'' or ``no''. The default | |
70 | is ``yes''. | |
71 | ||
72 | CheckHostIP | |
73 | If this flag is set to ``yes'', ssh(1) will additionally check | |
74 | the host IP address in the known_hosts file. This allows ssh to | |
75 | detect if a host key changed due to DNS spoofing. If the option | |
76 | is set to ``no'', the check will not be executed. The default is | |
77 | ``yes''. | |
78 | ||
79 | Cipher Specifies the cipher to use for encrypting the session in proto- | |
80 | col version 1. Currently, ``blowfish'', ``3des'', and ``des'' | |
81 | are supported. des is only supported in the ssh(1) client for | |
82 | interoperability with legacy protocol 1 implementations that do | |
83 | not support the 3des cipher. Its use is strongly discouraged due | |
84 | to cryptographic weaknesses. The default is ``3des''. | |
85 | ||
86 | Ciphers | |
87 | Specifies the ciphers allowed for protocol version 2 in order of | |
88 | preference. Multiple ciphers must be comma-separated. The sup- | |
89 | ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', | |
90 | ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', | |
91 | ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'', | |
92 | and ``cast128-cbc''. The default is: | |
93 | ||
94 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, | |
95 | arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, | |
96 | aes192-ctr,aes256-ctr | |
97 | ||
98 | ClearAllForwardings | |
99 | Specifies that all local, remote, and dynamic port forwardings | |
100 | specified in the configuration files or on the command line be | |
101 | cleared. This option is primarily useful when used from the | |
102 | ssh(1) command line to clear port forwardings set in configura- | |
103 | tion files, and is automatically set by scp(1) and sftp(1). The | |
104 | argument must be ``yes'' or ``no''. The default is ``no''. | |
105 | ||
106 | Compression | |
107 | Specifies whether to use compression. The argument must be | |
108 | ``yes'' or ``no''. The default is ``no''. | |
109 | ||
110 | CompressionLevel | |
111 | Specifies the compression level to use if compression is enabled. | |
112 | The argument must be an integer from 1 (fast) to 9 (slow, best). | |
113 | The default level is 6, which is good for most applications. The | |
114 | meaning of the values is the same as in gzip(1). Note that this | |
115 | option applies to protocol version 1 only. | |
116 | ||
117 | ConnectionAttempts | |
118 | Specifies the number of tries (one per second) to make before ex- | |
119 | iting. The argument must be an integer. This may be useful in | |
120 | scripts if the connection sometimes fails. The default is 1. | |
121 | ||
122 | ConnectTimeout | |
123 | Specifies the timeout (in seconds) used when connecting to the | |
124 | SSH server, instead of using the default system TCP timeout. | |
125 | This value is used only when the target is down or really un- | |
126 | reachable, not when it refuses the connection. | |
127 | ||
128 | ControlMaster | |
129 | Enables the sharing of multiple sessions over a single network | |
130 | connection. When set to ``yes'', ssh(1) will listen for connec- | |
131 | tions on a control socket specified using the ControlPath argu- | |
132 | ment. Additional sessions can connect to this socket using the | |
133 | same ControlPath with ControlMaster set to ``no'' (the default). | |
134 | These sessions will try to reuse the master instance's network | |
135 | connection rather than initiating new ones, but will fall back to | |
136 | connecting normally if the control socket does not exist, or is | |
137 | not listening. | |
138 | ||
139 | Setting this to ``ask'' will cause ssh to listen for control con- | |
140 | nections, but require confirmation using the SSH_ASKPASS program | |
141 | before they are accepted (see ssh-add(1) for details). If the | |
142 | ControlPath cannot be opened, ssh will continue without connect- | |
143 | ing to a master instance. | |
144 | ||
145 | X11 and ssh-agent(1) forwarding is supported over these multi- | |
146 | plexed connections, however the display and agent forwarded will | |
147 | be the one belonging to the master connection i.e. it is not pos- | |
148 | sible to forward multiple displays or agents. | |
149 | ||
150 | Two additional options allow for opportunistic multiplexing: try | |
151 | to use a master connection but fall back to creating a new one if | |
152 | one does not already exist. These options are: ``auto'' and | |
153 | ``autoask''. The latter requires confirmation like the ``ask'' | |
154 | option. | |
155 | ||
156 | ControlPath | |
157 | Specify the path to the control socket used for connection shar- | |
158 | ing as described in the ControlMaster section above or the string | |
159 | ``none'' to disable connection sharing. In the path, `%l' will | |
160 | be substituted by the local host name, `%h' will be substituted | |
161 | by the target host name, `%p' the port, and `%r' by the remote | |
162 | login username. It is recommended that any ControlPath used for | |
163 | opportunistic connection sharing include at least %h, %p, and %r. | |
164 | This ensures that shared connections are uniquely identified. | |
165 | ||
166 | DynamicForward | |
167 | Specifies that a TCP port on the local machine be forwarded over | |
168 | the secure channel, and the application protocol is then used to | |
169 | determine where to connect to from the remote machine. | |
170 | ||
171 | The argument must be [bind_address:]port. IPv6 addresses can be | |
172 | specified by enclosing addresses in square brackets or by using | |
173 | an alternative syntax: [bind_address/]port. By default, the lo- | |
174 | cal port is bound in accordance with the GatewayPorts setting. | |
175 | However, an explicit bind_address may be used to bind the connec- | |
176 | tion to a specific address. The bind_address of ``localhost'' | |
177 | indicates that the listening port be bound for local use only, | |
178 | while an empty address or `*' indicates that the port should be | |
179 | available from all interfaces. | |
180 | ||
181 | Currently the SOCKS4 and SOCKS5 protocols are supported, and | |
182 | ssh(1) will act as a SOCKS server. Multiple forwardings may be | |
183 | specified, and additional forwardings can be given on the command | |
184 | line. Only the superuser can forward privileged ports. | |
185 | ||
186 | EnableSSHKeysign | |
187 | Setting this option to ``yes'' in the global client configuration | |
188 | file /etc/ssh/ssh_config enables the use of the helper program | |
189 | ssh-keysign(8) during HostbasedAuthentication. The argument must | |
190 | be ``yes'' or ``no''. The default is ``no''. This option should | |
191 | be placed in the non-hostspecific section. See ssh-keysign(8) | |
192 | for more information. | |
193 | ||
194 | EscapeChar | |
195 | Sets the escape character (default: `~'). The escape character | |
196 | can also be set on the command line. The argument should be a | |
197 | single character, `^' followed by a letter, or ``none'' to dis- | |
198 | able the escape character entirely (making the connection trans- | |
199 | parent for binary data). | |
200 | ||
201 | ExitOnForwardFailure | |
202 | Specifies whether ssh(1) should terminate the connection if it | |
203 | cannot set up all requested dynamic, local, and remote port for- | |
204 | wardings. The argument must be ``yes'' or ``no''. The default | |
205 | is ``no''. | |
206 | ||
207 | ForwardAgent | |
208 | Specifies whether the connection to the authentication agent (if | |
209 | any) will be forwarded to the remote machine. The argument must | |
210 | be ``yes'' or ``no''. The default is ``no''. | |
211 | ||
212 | Agent forwarding should be enabled with caution. Users with the | |
213 | ability to bypass file permissions on the remote host (for the | |
214 | agent's Unix-domain socket) can access the local agent through | |
215 | the forwarded connection. An attacker cannot obtain key material | |
216 | from the agent, however they can perform operations on the keys | |
217 | that enable them to authenticate using the identities loaded into | |
218 | the agent. | |
219 | ||
220 | ForwardX11 | |
221 | Specifies whether X11 connections will be automatically redirect- | |
222 | ed over the secure channel and DISPLAY set. The argument must be | |
223 | ``yes'' or ``no''. The default is ``no''. | |
224 | ||
225 | X11 forwarding should be enabled with caution. Users with the | |
226 | ability to bypass file permissions on the remote host (for the | |
227 | user's X11 authorization database) can access the local X11 dis- | |
228 | play through the forwarded connection. An attacker may then be | |
229 | able to perform activities such as keystroke monitoring if the | |
230 | ForwardX11Trusted option is also enabled. | |
231 | ||
232 | ForwardX11Trusted | |
233 | If this option is set to ``yes'', remote X11 clients will have | |
234 | full access to the original X11 display. | |
235 | ||
236 | If this option is set to ``no'', remote X11 clients will be con- | |
237 | sidered untrusted and prevented from stealing or tampering with | |
238 | data belonging to trusted X11 clients. Furthermore, the xauth(1) | |
239 | token used for the session will be set to expire after 20 min- | |
240 | utes. Remote clients will be refused access after this time. | |
241 | ||
242 | The default is ``no''. | |
243 | ||
244 | See the X11 SECURITY extension specification for full details on | |
245 | the restrictions imposed on untrusted clients. | |
246 | ||
247 | GatewayPorts | |
248 | Specifies whether remote hosts are allowed to connect to local | |
249 | forwarded ports. By default, ssh(1) binds local port forwardings | |
250 | to the loopback address. This prevents other remote hosts from | |
251 | connecting to forwarded ports. GatewayPorts can be used to spec- | |
252 | ify that ssh should bind local port forwardings to the wildcard | |
253 | address, thus allowing remote hosts to connect to forwarded | |
254 | ports. The argument must be ``yes'' or ``no''. The default is | |
255 | ``no''. | |
256 | ||
257 | GlobalKnownHostsFile | |
258 | Specifies a file to use for the global host key database instead | |
259 | of /etc/ssh/ssh_known_hosts. | |
260 | ||
261 | GSSAPIAuthentication | |
262 | Specifies whether user authentication based on GSSAPI is allowed. | |
263 | The default is ``no''. Note that this option applies to protocol | |
264 | version 2 only. | |
265 | ||
266 | GSSAPIDelegateCredentials | |
267 | Forward (delegate) credentials to the server. The default is | |
268 | ``no''. Note that this option applies to protocol version 2 on- | |
269 | ly. | |
270 | ||
271 | HashKnownHosts | |
272 | Indicates that ssh(1) should hash host names and addresses when | |
273 | they are added to ~/.ssh/known_hosts. These hashed names may be | |
274 | used normally by ssh(1) and sshd(8), but they do not reveal iden- | |
275 | tifying information should the file's contents be disclosed. The | |
276 | default is ``no''. Note that existing names and addresses in | |
277 | known hosts files will not be converted automatically, but may be | |
278 | manually hashed using ssh-keygen(1). | |
279 | ||
280 | HostbasedAuthentication | |
281 | Specifies whether to try rhosts based authentication with public | |
282 | key authentication. The argument must be ``yes'' or ``no''. The | |
283 | default is ``no''. This option applies to protocol version 2 on- | |
284 | ly and is similar to RhostsRSAAuthentication. | |
285 | ||
286 | HostKeyAlgorithms | |
287 | Specifies the protocol version 2 host key algorithms that the | |
288 | client wants to use in order of preference. The default for this | |
289 | option is: ``ssh-rsa,ssh-dss''. | |
290 | ||
291 | HostKeyAlias | |
292 | Specifies an alias that should be used instead of the real host | |
293 | name when looking up or saving the host key in the host key | |
294 | database files. This option is useful for tunneling SSH connec- | |
295 | tions or for multiple servers running on a single host. | |
296 | ||
297 | HostName | |
298 | Specifies the real host name to log into. This can be used to | |
299 | specify nicknames or abbreviations for hosts. The default is the | |
300 | name given on the command line. Numeric IP addresses are also | |
301 | permitted (both on the command line and in HostName specifica- | |
302 | tions). | |
303 | ||
304 | IdentitiesOnly | |
305 | Specifies that ssh(1) should only use the authentication identity | |
306 | files configured in the ssh_config files, even if ssh-agent(1) | |
307 | offers more identities. The argument to this keyword must be | |
308 | ``yes'' or ``no''. This option is intended for situations where | |
309 | ssh-agent offers many different identities. The default is | |
310 | ``no''. | |
311 | ||
312 | IdentityFile | |
313 | Specifies a file from which the user's RSA or DSA authentication | |
314 | identity is read. The default is ~/.ssh/identity for protocol | |
315 | version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver- | |
316 | sion 2. Additionally, any identities represented by the authen- | |
317 | tication agent will be used for authentication. | |
318 | ||
319 | The file name may use the tilde syntax to refer to a user's home | |
320 | directory or one of the following escape characters: `%d' (local | |
321 | user's home directory), `%u' (local user name), `%l' (local host | |
322 | name), `%h' (remote host name) or `%r' (remote user name). | |
323 | ||
324 | It is possible to have multiple identity files specified in con- | |
325 | figuration files; all these identities will be tried in sequence. | |
326 | ||
327 | KbdInteractiveDevices | |
328 | Specifies the list of methods to use in keyboard-interactive au- | |
329 | thentication. Multiple method names must be comma-separated. | |
330 | The default is to use the server specified list. The methods | |
331 | available vary depending on what the server supports. For an | |
332 | OpenSSH server, it may be zero or more of: ``bsdauth'', ``pam'', | |
333 | and ``skey''. | |
334 | ||
335 | LocalCommand | |
336 | Specifies a command to execute on the local machine after suc- | |
337 | cessfully connecting to the server. The command string extends | |
338 | to the end of the line, and is executed with /bin/sh. This di- | |
339 | rective is ignored unless PermitLocalCommand has been enabled. | |
340 | ||
341 | LocalForward | |
342 | Specifies that a TCP port on the local machine be forwarded over | |
343 | the secure channel to the specified host and port from the remote | |
344 | machine. The first argument must be [bind_address:]port and the | |
345 | second argument must be host:hostport. IPv6 addresses can be | |
346 | specified by enclosing addresses in square brackets or by using | |
347 | an alternative syntax: [bind_address/]port and host/hostport. | |
348 | Multiple forwardings may be specified, and additional forwardings | |
349 | can be given on the command line. Only the superuser can forward | |
350 | privileged ports. By default, the local port is bound in accor- | |
351 | dance with the GatewayPorts setting. However, an explicit | |
352 | bind_address may be used to bind the connection to a specific ad- | |
353 | dress. The bind_address of ``localhost'' indicates that the lis- | |
354 | tening port be bound for local use only, while an empty address | |
355 | or `*' indicates that the port should be available from all in- | |
356 | terfaces. | |
357 | ||
358 | LogLevel | |
359 | Gives the verbosity level that is used when logging messages from | |
360 | ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, VER- | |
361 | BOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. | |
362 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify | |
363 | higher levels of verbose output. | |
364 | ||
365 | MACs Specifies the MAC (message authentication code) algorithms in or- | |
366 | der of preference. The MAC algorithm is used in protocol version | |
367 | 2 for data integrity protection. Multiple algorithms must be | |
368 | comma-separated. The default is: ``hmac-md5,hmac-sha1,hmac- | |
369 | ripemd160,hmac-sha1-96,hmac-md5-96''. | |
370 | ||
371 | NoHostAuthenticationForLocalhost | |
372 | This option can be used if the home directory is shared across | |
373 | machines. In this case localhost will refer to a different ma- | |
374 | chine on each of the machines and the user will get many warnings | |
375 | about changed host keys. However, this option disables host au- | |
376 | thentication for localhost. The argument to this keyword must be | |
377 | ``yes'' or ``no''. The default is to check the host key for lo- | |
378 | calhost. | |
379 | ||
380 | NumberOfPasswordPrompts | |
381 | Specifies the number of password prompts before giving up. The | |
382 | argument to this keyword must be an integer. The default is 3. | |
383 | ||
384 | PasswordAuthentication | |
385 | Specifies whether to use password authentication. The argument | |
386 | to this keyword must be ``yes'' or ``no''. The default is | |
387 | ``yes''. | |
388 | ||
389 | PermitLocalCommand | |
390 | Allow local command execution via the LocalCommand option or us- | |
391 | ing the !command escape sequence in ssh(1). The argument must be | |
392 | ``yes'' or ``no''. The default is ``no''. | |
393 | ||
394 | Port Specifies the port number to connect on the remote host. The de- | |
395 | fault is 22. | |
396 | ||
397 | PreferredAuthentications | |
398 | Specifies the order in which the client should try protocol 2 au- | |
399 | thentication methods. This allows a client to prefer one method | |
400 | (e.g. keyboard-interactive) over another method (e.g. password) | |
401 | The default for this option is: ``gssapi-with-mic,hostbased, | |
402 | publickey, keyboard-interactive, password''. | |
403 | ||
404 | Protocol | |
405 | Specifies the protocol versions ssh(1) should support in order of | |
406 | preference. The possible values are `1' and `2'. Multiple ver- | |
407 | sions must be comma-separated. The default is ``2,1''. This | |
408 | means that ssh tries version 2 and falls back to version 1 if | |
409 | version 2 is not available. | |
410 | ||
411 | ProxyCommand | |
412 | Specifies the command to use to connect to the server. The com- | |
413 | mand string extends to the end of the line, and is executed with | |
414 | /bin/sh. In the command string, `%h' will be substituted by the | |
415 | host name to connect and `%p' by the port. The command can be | |
416 | basically anything, and should read from its standard input and | |
417 | write to its standard output. It should eventually connect an | |
418 | sshd(8) server running on some machine, or execute sshd -i some- | |
419 | where. Host key management will be done using the HostName of | |
420 | the host being connected (defaulting to the name typed by the us- | |
421 | er). Setting the command to ``none'' disables this option en- | |
422 | tirely. Note that CheckHostIP is not available for connects with | |
423 | a proxy command. | |
424 | ||
425 | This directive is useful in conjunction with nc(1) and its proxy | |
426 | support. For example, the following directive would connect via | |
427 | an HTTP proxy at 192.0.2.0: | |
428 | ||
429 | ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p | |
430 | ||
431 | PubkeyAuthentication | |
432 | Specifies whether to try public key authentication. The argument | |
433 | to this keyword must be ``yes'' or ``no''. The default is | |
434 | ``yes''. This option applies to protocol version 2 only. | |
435 | ||
436 | RekeyLimit | |
437 | Specifies the maximum amount of data that may be transmitted be- | |
438 | fore the session key is renegotiated. The argument is the number | |
439 | of bytes, with an optional suffix of `K', `M', or `G' to indicate | |
440 | Kilobytes, Megabytes, or Gigabytes, respectively. The default is | |
441 | between `1G' and `4G', depending on the cipher. This option ap- | |
442 | plies to protocol version 2 only. | |
443 | ||
444 | RemoteForward | |
445 | Specifies that a TCP port on the remote machine be forwarded over | |
446 | the secure channel to the specified host and port from the local | |
447 | machine. The first argument must be [bind_address:]port and the | |
448 | second argument must be host:hostport. IPv6 addresses can be | |
449 | specified by enclosing addresses in square brackets or by using | |
450 | an alternative syntax: [bind_address/]port and host/hostport. | |
451 | Multiple forwardings may be specified, and additional forwardings | |
452 | can be given on the command line. Only the superuser can forward | |
453 | privileged ports. | |
454 | ||
455 | If the bind_address is not specified, the default is to only bind | |
456 | to loopback addresses. If the bind_address is `*' or an empty | |
457 | string, then the forwarding is requested to listen on all inter- | |
458 | faces. Specifying a remote bind_address will only succeed if the | |
459 | server's GatewayPorts option is enabled (see sshd_config(5)). | |
460 | ||
461 | RhostsRSAAuthentication | |
462 | Specifies whether to try rhosts based authentication with RSA | |
463 | host authentication. The argument must be ``yes'' or ``no''. | |
464 | The default is ``no''. This option applies to protocol version 1 | |
465 | only and requires ssh(1) to be setuid root. | |
466 | ||
467 | RSAAuthentication | |
468 | Specifies whether to try RSA authentication. The argument to | |
469 | this keyword must be ``yes'' or ``no''. RSA authentication will | |
470 | only be attempted if the identity file exists, or an authentica- | |
471 | tion agent is running. The default is ``yes''. Note that this | |
472 | option applies to protocol version 1 only. | |
473 | ||
474 | SendEnv | |
475 | Specifies what variables from the local environ(7) should be sent | |
476 | to the server. Note that environment passing is only supported | |
477 | for protocol 2. The server must also support it, and the server | |
478 | must be configured to accept these environment variables. Refer | |
479 | to AcceptEnv in sshd_config(5) for how to configure the server. | |
480 | Variables are specified by name, which may contain wildcard char- | |
481 | acters. Multiple environment variables may be separated by | |
482 | whitespace or spread across multiple SendEnv directives. The de- | |
483 | fault is not to send any environment variables. | |
484 | ||
485 | See PATTERNS for more information on patterns. | |
486 | ||
487 | ServerAliveCountMax | |
488 | Sets the number of server alive messages (see below) which may be | |
489 | sent without ssh(1) receiving any messages back from the server. | |
490 | If this threshold is reached while server alive messages are be- | |
491 | ing sent, ssh will disconnect from the server, terminating the | |
492 | session. It is important to note that the use of server alive | |
493 | messages is very different from TCPKeepAlive (below). The server | |
494 | alive messages are sent through the encrypted channel and there- | |
495 | fore will not be spoofable. The TCP keepalive option enabled by | |
496 | TCPKeepAlive is spoofable. The server alive mechanism is valu- | |
497 | able when the client or server depend on knowing when a connec- | |
498 | tion has become inactive. | |
499 | ||
500 | The default value is 3. If, for example, ServerAliveInterval | |
501 | (see below) is set to 15 and ServerAliveCountMax is left at the | |
502 | default, if the server becomes unresponsive, ssh will disconnect | |
503 | after approximately 45 seconds. This option applies to protocol | |
504 | version 2 only. | |
505 | ||
506 | ServerAliveInterval | |
507 | Sets a timeout interval in seconds after which if no data has | |
508 | been received from the server, ssh(1) will send a message through | |
509 | the encrypted channel to request a response from the server. The | |
510 | default is 0, indicating that these messages will not be sent to | |
511 | the server. This option applies to protocol version 2 only. | |
512 | ||
513 | SmartcardDevice | |
514 | Specifies which smartcard device to use. The argument to this | |
515 | keyword is the device ssh(1) should use to communicate with a | |
516 | smartcard used for storing the user's private RSA key. By de- | |
517 | fault, no device is specified and smartcard support is not acti- | |
518 | vated. | |
519 | ||
520 | StrictHostKeyChecking | |
521 | If this flag is set to ``yes'', ssh(1) will never automatically | |
522 | add host keys to the ~/.ssh/known_hosts file, and refuses to con- | |
523 | nect to hosts whose host key has changed. This provides maximum | |
524 | protection against trojan horse attacks, though it can be annoy- | |
525 | ing when the /etc/ssh/ssh_known_hosts file is poorly maintained | |
526 | or when connections to new hosts are frequently made. This op- | |
527 | tion forces the user to manually add all new hosts. If this flag | |
528 | is set to ``no'', ssh will automatically add new host keys to the | |
529 | user known hosts files. If this flag is set to ``ask'', new host | |
530 | keys will be added to the user known host files only after the | |
531 | user has confirmed that is what they really want to do, and ssh | |
532 | will refuse to connect to hosts whose host key has changed. The | |
533 | host keys of known hosts will be verified automatically in all | |
534 | cases. The argument must be ``yes'', ``no'', or ``ask''. The | |
535 | default is ``ask''. | |
536 | ||
537 | TCPKeepAlive | |
538 | Specifies whether the system should send TCP keepalive messages | |
539 | to the other side. If they are sent, death of the connection or | |
540 | crash of one of the machines will be properly noticed. However, | |
541 | this means that connections will die if the route is down tem- | |
542 | porarily, and some people find it annoying. | |
543 | ||
544 | The default is ``yes'' (to send TCP keepalive messages), and the | |
545 | client will notice if the network goes down or the remote host | |
546 | dies. This is important in scripts, and many users want it too. | |
547 | ||
548 | To disable TCP keepalive messages, the value should be set to | |
549 | ``no''. | |
550 | ||
551 | Tunnel Request tun(4) device forwarding between the client and the serv- | |
552 | er. The argument must be ``yes'', ``point-to-point'' (layer 3), | |
553 | ``ethernet'' (layer 2), or ``no''. Specifying ``yes'' requests | |
554 | the default tunnel mode, which is ``point-to-point''. The de- | |
555 | fault is ``no''. | |
556 | ||
557 | TunnelDevice | |
558 | Specifies the tun(4) devices to open on the client (local_tun) | |
559 | and the server (remote_tun). | |
560 | ||
561 | The argument must be local_tun[:remote_tun]. The devices may be | |
562 | specified by numerical ID or the keyword ``any'', which uses the | |
563 | next available tunnel device. If remote_tun is not specified, it | |
564 | defaults to ``any''. The default is ``any:any''. | |
565 | ||
566 | UsePrivilegedPort | |
567 | Specifies whether to use a privileged port for outgoing connec- | |
568 | tions. The argument must be ``yes'' or ``no''. The default is | |
569 | ``no''. If set to ``yes'', ssh(1) must be setuid root. Note | |
570 | that this option must be set to ``yes'' for | |
571 | RhostsRSAAuthentication with older servers. | |
572 | ||
573 | User Specifies the user to log in as. This can be useful when a dif- | |
574 | ferent user name is used on different machines. This saves the | |
575 | trouble of having to remember to give the user name on the com- | |
576 | mand line. | |
577 | ||
578 | UserKnownHostsFile | |
579 | Specifies a file to use for the user host key database instead of | |
580 | ~/.ssh/known_hosts. | |
581 | ||
582 | VerifyHostKeyDNS | |
583 | Specifies whether to verify the remote key using DNS and SSHFP | |
584 | resource records. If this option is set to ``yes'', the client | |
585 | will implicitly trust keys that match a secure fingerprint from | |
586 | DNS. Insecure fingerprints will be handled as if this option was | |
587 | set to ``ask''. If this option is set to ``ask'', information on | |
588 | fingerprint match will be displayed, but the user will still need | |
589 | to confirm new host keys according to the StrictHostKeyChecking | |
590 | option. The argument must be ``yes'', ``no'', or ``ask''. The | |
591 | default is ``no''. Note that this option applies to protocol | |
592 | version 2 only. | |
593 | ||
594 | See also VERIFYING HOST KEYS in ssh(1). | |
595 | ||
596 | XAuthLocation | |
597 | Specifies the full pathname of the xauth(1) program. The default | |
598 | is /usr/X11R6/bin/xauth. | |
599 | ||
600 | PATTERNS | |
601 | A pattern consists of zero or more non-whitespace characters, `*' (a | |
602 | wildcard that matches zero or more characters), or `?' (a wildcard that | |
603 | matches exactly one character). For example, to specify a set of decla- | |
604 | rations for any host in the ``.co.uk'' set of domains, the following pat- | |
605 | tern could be used: | |
606 | ||
607 | Host *.co.uk | |
608 | ||
609 | The following pattern would match any host in the 192.168.0.[0-9] network | |
610 | range: | |
611 | ||
612 | Host 192.168.0.? | |
613 | ||
614 | A pattern-list is a comma-separated list of patterns. Patterns within | |
615 | pattern-lists may be negated by preceding them with an exclamation mark | |
616 | (`!'). For example, to allow a key to be used from anywhere within an | |
617 | organisation except from the ``dialup'' pool, the following entry (in au- | |
618 | thorized_keys) could be used: | |
619 | ||
620 | from="!*.dialup.example.com,*.example.com" | |
621 | ||
622 | FILES | |
623 | ~/.ssh/config | |
624 | This is the per-user configuration file. The format of this file | |
625 | is described above. This file is used by the SSH client. Be- | |
626 | cause of the potential for abuse, this file must have strict per- | |
627 | missions: read/write for the user, and not accessible by others. | |
628 | ||
629 | /etc/ssh/ssh_config | |
630 | Systemwide configuration file. This file provides defaults for | |
631 | those values that are not specified in the user's configuration | |
632 | file, and for those users who do not have a configuration file. | |
633 | This file must be world-readable. | |
634 | ||
635 | SEE ALSO | |
636 | ssh(1) | |
637 | ||
638 | AUTHORS | |
639 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | |
640 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | |
641 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- | |
642 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | |
643 | versions 1.5 and 2.0. | |
644 | ||
645 | OpenBSD 4.0 September 25, 1999 10 |