1 SSH_CONFIG(5) BSD File Formats Manual SSH_CONFIG(5)
4 ssh_config - OpenSSH SSH client configuration files
11 ssh(1) obtains configuration data from the following sources in the fol-
14 1. command-line options
15 2. user's configuration file (~/.ssh/config)
16 3. GSSAPI configuration file ($HOME/.ssh/config.gssapi)
17 4. Kerberos configuration file ($HOME/.ssh/config.krb)
18 5. system-wide configuration file (/etc/ssh/ssh_config)
20 For each parameter, the first obtained value will be used. The configu-
21 ration files contain sections separated by ``Host'' specifications, and
22 that section is only applied for hosts that match one of the patterns
23 given in the specification. The matched host name is the one given on
26 Since the first obtained value for each parameter is used, more host-spe-
27 cific declarations should be given near the beginning of the file, and
28 general defaults at the end.
30 The configuration file has the following format:
32 Empty lines and lines starting with '#' are comments. Otherwise a line
33 is of the format ``keyword arguments''. Configuration options may be
34 separated by whitespace or optional whitespace and exactly one '='; the
35 latter format is useful to avoid the need to quote whitespace when speci-
36 fying configuration options using the ssh, scp, and sftp -o option.
37 Arguments may optionally be enclosed in double quotes (") in order to
38 represent arguments containing spaces.
40 The possible keywords and their meanings are as follows (note that key-
41 words are case-insensitive and arguments are case-sensitive):
43 Host Restricts the following declarations (up to the next Host key-
44 word) to be only for those hosts that match one of the patterns
45 given after the keyword. A single '*' as a pattern can be used
46 to provide global defaults for all hosts. The host is the
47 hostname argument given on the command line (i.e. the name is not
48 converted to a canonicalized host name before matching).
50 See PATTERNS for more information on patterns.
53 Specifies which address family to use when connecting. Valid
54 arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6''
58 If set to ``yes'', passphrase/password querying will be disabled.
59 This option is useful in scripts and other batch jobs where no
60 user is present to supply the password. The argument must be
61 ``yes'' or ``no''. The default is ``no''.
64 Use the specified address on the local machine as the source
65 address of the connection. Only useful on systems with more than
66 one address. Note that this option does not work if
67 UsePrivilegedPort is set to ``yes''.
69 ChallengeResponseAuthentication
70 Specifies whether to use challenge-response authentication. The
71 argument to this keyword must be ``yes'' or ``no''. The default
75 If this flag is set to ``yes'', ssh(1) will additionally check
76 the host IP address in the known_hosts file. This allows ssh to
77 detect if a host key changed due to DNS spoofing. If the option
78 is set to ``no'', the check will not be executed. The default is
81 Cipher Specifies the cipher to use for encrypting the session in proto-
82 col version 1. Currently, ``blowfish'', ``3des'', and ``des''
83 are supported. des is only supported in the ssh(1) client for
84 interoperability with legacy protocol 1 implementations that do
85 not support the 3des cipher. Its use is strongly discouraged due
86 to cryptographic weaknesses. The default is ``3des''.
89 Specifies the ciphers allowed for protocol version 2 in order of
90 preference. Multiple ciphers must be comma-separated. The sup-
91 ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'',
92 ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
93 ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'',
94 and ``cast128-cbc''. The default is:
96 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
97 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
101 Specifies that all local, remote, and dynamic port forwardings
102 specified in the configuration files or on the command line be
103 cleared. This option is primarily useful when used from the
104 ssh(1) command line to clear port forwardings set in configura-
105 tion files, and is automatically set by scp(1) and sftp(1). The
106 argument must be ``yes'' or ``no''. The default is ``no''.
109 Specifies whether to use compression. The argument must be
110 ``yes'' or ``no''. The default is ``no''.
113 Specifies the compression level to use if compression is enabled.
114 The argument must be an integer from 1 (fast) to 9 (slow, best).
115 The default level is 6, which is good for most applications. The
116 meaning of the values is the same as in gzip(1). Note that this
117 option applies to protocol version 1 only.
120 Specifies the number of tries (one per second) to make before
121 exiting. The argument must be an integer. This may be useful in
122 scripts if the connection sometimes fails. The default is 1.
125 Specifies the timeout (in seconds) used when connecting to the
126 SSH server, instead of using the default system TCP timeout.
127 This value is used only when the target is down or really
128 unreachable, not when it refuses the connection.
131 Enables the sharing of multiple sessions over a single network
132 connection. When set to ``yes'', ssh(1) will listen for connec-
133 tions on a control socket specified using the ControlPath argu-
134 ment. Additional sessions can connect to this socket using the
135 same ControlPath with ControlMaster set to ``no'' (the default).
136 These sessions will try to reuse the master instance's network
137 connection rather than initiating new ones, but will fall back to
138 connecting normally if the control socket does not exist, or is
141 Setting this to ``ask'' will cause ssh to listen for control con-
142 nections, but require confirmation using the SSH_ASKPASS program
143 before they are accepted (see ssh-add(1) for details). If the
144 ControlPath cannot be opened, ssh will continue without connect-
145 ing to a master instance.
147 X11 and ssh-agent(1) forwarding is supported over these multi-
148 plexed connections, however the display and agent forwarded will
149 be the one belonging to the master connection i.e. it is not pos-
150 sible to forward multiple displays or agents.
152 Two additional options allow for opportunistic multiplexing: try
153 to use a master connection but fall back to creating a new one if
154 one does not already exist. These options are: ``auto'' and
155 ``autoask''. The latter requires confirmation like the ``ask''
159 Specify the path to the control socket used for connection shar-
160 ing as described in the ControlMaster section above or the string
161 ``none'' to disable connection sharing. In the path, '%l' will
162 be substituted by the local host name, '%h' will be substituted
163 by the target host name, '%p' the port, and '%r' by the remote
164 login username. It is recommended that any ControlPath used for
165 opportunistic connection sharing include at least %h, %p, and %r.
166 This ensures that shared connections are uniquely identified.
169 Specifies that a TCP port on the local machine be forwarded over
170 the secure channel, and the application protocol is then used to
171 determine where to connect to from the remote machine.
173 The argument must be [bind_address:]port. IPv6 addresses can be
174 specified by enclosing addresses in square brackets or by using
175 an alternative syntax: [bind_address/]port. By default, the
176 local port is bound in accordance with the GatewayPorts setting.
177 However, an explicit bind_address may be used to bind the connec-
178 tion to a specific address. The bind_address of ``localhost''
179 indicates that the listening port be bound for local use only,
180 while an empty address or '*' indicates that the port should be
181 available from all interfaces.
183 Currently the SOCKS4 and SOCKS5 protocols are supported, and
184 ssh(1) will act as a SOCKS server. Multiple forwardings may be
185 specified, and additional forwardings can be given on the command
186 line. Only the superuser can forward privileged ports.
189 Setting this option to ``yes'' in the global client configuration
190 file /etc/ssh/ssh_config enables the use of the helper program
191 ssh-keysign(8) during HostbasedAuthentication. The argument must
192 be ``yes'' or ``no''. The default is ``no''. This option should
193 be placed in the non-hostspecific section. See ssh-keysign(8)
194 for more information.
197 Sets the escape character (default: '~'). The escape character
198 can also be set on the command line. The argument should be a
199 single character, '^' followed by a letter, or ``none'' to dis-
200 able the escape character entirely (making the connection trans-
201 parent for binary data).
204 Specifies whether ssh(1) should terminate the connection if it
205 cannot set up all requested dynamic, local, and remote port for-
206 wardings. The argument must be ``yes'' or ``no''. The default
210 Specifies whether the connection to the authentication agent (if
211 any) will be forwarded to the remote machine. The argument must
212 be ``yes'' or ``no''. The default is ``no''.
214 Agent forwarding should be enabled with caution. Users with the
215 ability to bypass file permissions on the remote host (for the
216 agent's Unix-domain socket) can access the local agent through
217 the forwarded connection. An attacker cannot obtain key material
218 from the agent, however they can perform operations on the keys
219 that enable them to authenticate using the identities loaded into
223 Specifies whether X11 connections will be automatically redi-
224 rected over the secure channel and DISPLAY set. The argument
225 must be ``yes'' or ``no''. The default is ``no''.
227 X11 forwarding should be enabled with caution. Users with the
228 ability to bypass file permissions on the remote host (for the
229 user's X11 authorization database) can access the local X11 dis-
230 play through the forwarded connection. An attacker may then be
231 able to perform activities such as keystroke monitoring if the
232 ForwardX11Trusted option is also enabled.
235 If this option is set to ``yes'', remote X11 clients will have
236 full access to the original X11 display.
238 If this option is set to ``no'', remote X11 clients will be con-
239 sidered untrusted and prevented from stealing or tampering with
240 data belonging to trusted X11 clients. Furthermore, the xauth(1)
241 token used for the session will be set to expire after 20 min-
242 utes. Remote clients will be refused access after this time.
244 The default is ``no''.
246 See the X11 SECURITY extension specification for full details on
247 the restrictions imposed on untrusted clients.
250 Specifies whether remote hosts are allowed to connect to local
251 forwarded ports. By default, ssh(1) binds local port forwardings
252 to the loopback address. This prevents other remote hosts from
253 connecting to forwarded ports. GatewayPorts can be used to spec-
254 ify that ssh should bind local port forwardings to the wildcard
255 address, thus allowing remote hosts to connect to forwarded
256 ports. The argument must be ``yes'' or ``no''. The default is
260 Specifies a file to use for the global host key database instead
261 of /etc/ssh/ssh_known_hosts.
264 Specifies whether user authentication based on GSSAPI is allowed.
265 The default is ``yes''. Note that this option applies to proto-
269 Specifies whether key exchange based on GSSAPI may be used. When
270 using GSSAPI key exchange the server need not have a host key.
271 The default is ``yes''. Note that this option applies to proto-
274 GSSAPIDelegateCredentials
275 Forward (delegate) credentials to the server. The default is
276 ``yes''. Note that this option applies to protocol version 2
280 Set to ``yes'' to indicate that the DNS is trusted to securely
281 canonicalize the name of the host being connected to. If ``no,''
282 the hostname entered on the command line will be passed untouched
283 to the GSSAPI library. The default is ``yes''. This option only
284 applies to protocol version 2 connections using GSSAPI.
287 Indicates that ssh(1) should hash host names and addresses when
288 they are added to ~/.ssh/known_hosts. These hashed names may be
289 used normally by ssh(1) and sshd(8), but they do not reveal iden-
290 tifying information should the file's contents be disclosed. The
291 default is ``no''. Note that existing names and addresses in
292 known hosts files will not be converted automatically, but may be
293 manually hashed using ssh-keygen(1).
295 HostbasedAuthentication
296 Specifies whether to try rhosts based authentication with public
297 key authentication. The argument must be ``yes'' or ``no''. The
298 default is ``no''. This option applies to protocol version 2
299 only and is similar to RhostsRSAAuthentication.
302 Specifies the protocol version 2 host key algorithms that the
303 client wants to use in order of preference. The default for this
304 option is: ``ssh-rsa,ssh-dss''.
307 Specifies an alias that should be used instead of the real host
308 name when looking up or saving the host key in the host key
309 database files. This option is useful for tunneling SSH connec-
310 tions or for multiple servers running on a single host.
313 Specifies the real host name to log into. This can be used to
314 specify nicknames or abbreviations for hosts. The default is the
315 name given on the command line. Numeric IP addresses are also
316 permitted (both on the command line and in HostName specifica-
320 Specifies that ssh(1) should only use the authentication identity
321 files configured in the ssh_config files, even if ssh-agent(1)
322 offers more identities. The argument to this keyword must be
323 ``yes'' or ``no''. This option is intended for situations where
324 ssh-agent offers many different identities. The default is
328 Specifies a file from which the user's RSA or DSA authentication
329 identity is read. The default is ~/.ssh/identity for protocol
330 version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver-
331 sion 2. Additionally, any identities represented by the authen-
332 tication agent will be used for authentication.
334 The file name may use the tilde syntax to refer to a user's home
335 directory or one of the following escape characters: '%d' (local
336 user's home directory), '%u' (local user name), '%l' (local host
337 name), '%h' (remote host name) or '%r' (remote user name).
339 It is possible to have multiple identity files specified in con-
340 figuration files; all these identities will be tried in sequence.
342 KbdInteractiveDevices
343 Specifies the list of methods to use in keyboard-interactive
344 authentication. Multiple method names must be comma-separated.
345 The default is to use the server specified list. The methods
346 available vary depending on what the server supports. For an
347 OpenSSH server, it may be zero or more of: ``bsdauth'', ``pam'',
351 Specifies a command to execute on the local machine after suc-
352 cessfully connecting to the server. The command string extends
353 to the end of the line, and is executed with /bin/sh. This
354 directive is ignored unless PermitLocalCommand has been enabled.
357 Specifies that a TCP port on the local machine be forwarded over
358 the secure channel to the specified host and port from the remote
359 machine. The first argument must be [bind_address:]port and the
360 second argument must be host:hostport. IPv6 addresses can be
361 specified by enclosing addresses in square brackets or by using
362 an alternative syntax: [bind_address/]port and host/hostport.
363 Multiple forwardings may be specified, and additional forwardings
364 can be given on the command line. Only the superuser can forward
365 privileged ports. By default, the local port is bound in accor-
366 dance with the GatewayPorts setting. However, an explicit
367 bind_address may be used to bind the connection to a specific
368 address. The bind_address of ``localhost'' indicates that the
369 listening port be bound for local use only, while an empty
370 address or '*' indicates that the port should be available from
374 Gives the verbosity level that is used when logging messages from
375 ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, VER-
376 BOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.
377 DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
378 higher levels of verbose output.
380 MACs Specifies the MAC (message authentication code) algorithms in
381 order of preference. The MAC algorithm is used in protocol ver-
382 sion 2 for data integrity protection. Multiple algorithms must
383 be comma-separated. The default is:
384 ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''.
386 NoHostAuthenticationForLocalhost
387 This option can be used if the home directory is shared across
388 machines. In this case localhost will refer to a different
389 machine on each of the machines and the user will get many warn-
390 ings about changed host keys. However, this option disables host
391 authentication for localhost. The argument to this keyword must
392 be ``yes'' or ``no''. The default is to check the host key for
395 NumberOfPasswordPrompts
396 Specifies the number of password prompts before giving up. The
397 argument to this keyword must be an integer. The default is 3.
399 PasswordAuthentication
400 Specifies whether to use password authentication. The argument
401 to this keyword must be ``yes'' or ``no''. The default is
405 Allow local command execution via the LocalCommand option or
406 using the !command escape sequence in ssh(1). The argument must
407 be ``yes'' or ``no''. The default is ``no''.
409 Port Specifies the port number to connect on the remote host. The
412 PreferredAuthentications
413 Specifies the order in which the client should try protocol 2
414 authentication methods. This allows a client to prefer one
415 method (e.g. keyboard-interactive) over another method (e.g.
416 password) The default for this option is: ``gssapi-keyex,
417 external-keyx, gssapi-with-mic, hostbased, publickey, keyboard-
418 interactive, password''.
421 Specifies the protocol versions ssh(1) should support in order of
422 preference. The possible values are '1' and '2'. Multiple ver-
423 sions must be comma-separated. The default is ``2,1''. This
424 means that ssh tries version 2 and falls back to version 1 if
425 version 2 is not available.
428 Specifies the command to use to connect to the server. The com-
429 mand string extends to the end of the line, and is executed with
430 /bin/sh. In the command string, '%h' will be substituted by the
431 host name to connect and '%p' by the port. The command can be
432 basically anything, and should read from its standard input and
433 write to its standard output. It should eventually connect an
434 sshd(8) server running on some machine, or execute sshd -i some-
435 where. Host key management will be done using the HostName of
436 the host being connected (defaulting to the name typed by the
437 user). Setting the command to ``none'' disables this option
438 entirely. Note that CheckHostIP is not available for connects
439 with a proxy command.
441 This directive is useful in conjunction with nc(1) and its proxy
442 support. For example, the following directive would connect via
443 an HTTP proxy at 192.0.2.0:
445 ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
448 Specifies whether to try public key authentication. The argument
449 to this keyword must be ``yes'' or ``no''. The default is
450 ``yes''. This option applies to protocol version 2 only.
453 Specifies the maximum amount of data that may be transmitted
454 before the session key is renegotiated. The argument is the num-
455 ber of bytes, with an optional suffix of 'K', 'M', or 'G' to
456 indicate Kilobytes, Megabytes, or Gigabytes, respectively. The
457 default is between '1G' and '4G', depending on the cipher. This
458 option applies to protocol version 2 only.
461 Specifies that a TCP port on the remote machine be forwarded over
462 the secure channel to the specified host and port from the local
463 machine. The first argument must be [bind_address:]port and the
464 second argument must be host:hostport. IPv6 addresses can be
465 specified by enclosing addresses in square brackets or by using
466 an alternative syntax: [bind_address/]port and host/hostport.
467 Multiple forwardings may be specified, and additional forwardings
468 can be given on the command line. Only the superuser can forward
471 If the bind_address is not specified, the default is to only bind
472 to loopback addresses. If the bind_address is '*' or an empty
473 string, then the forwarding is requested to listen on all inter-
474 faces. Specifying a remote bind_address will only succeed if the
475 server's GatewayPorts option is enabled (see sshd_config(5)).
477 RhostsRSAAuthentication
478 Specifies whether to try rhosts based authentication with RSA
479 host authentication. The argument must be ``yes'' or ``no''.
480 The default is ``no''. This option applies to protocol version 1
481 only and requires ssh(1) to be setuid root.
484 Specifies whether to try RSA authentication. The argument to
485 this keyword must be ``yes'' or ``no''. RSA authentication will
486 only be attempted if the identity file exists, or an authentica-
487 tion agent is running. The default is ``yes''. Note that this
488 option applies to protocol version 1 only.
491 Specifies what variables from the local environ(7) should be sent
492 to the server. Note that environment passing is only supported
493 for protocol 2. The server must also support it, and the server
494 must be configured to accept these environment variables. Refer
495 to AcceptEnv in sshd_config(5) for how to configure the server.
496 Variables are specified by name, which may contain wildcard char-
497 acters. Multiple environment variables may be separated by
498 whitespace or spread across multiple SendEnv directives. The
499 default is not to send any environment variables.
501 See PATTERNS for more information on patterns.
504 Sets the number of server alive messages (see below) which may be
505 sent without ssh(1) receiving any messages back from the server.
506 If this threshold is reached while server alive messages are
507 being sent, ssh will disconnect from the server, terminating the
508 session. It is important to note that the use of server alive
509 messages is very different from TCPKeepAlive (below). The server
510 alive messages are sent through the encrypted channel and there-
511 fore will not be spoofable. The TCP keepalive option enabled by
512 TCPKeepAlive is spoofable. The server alive mechanism is valu-
513 able when the client or server depend on knowing when a connec-
514 tion has become inactive.
516 The default value is 3. If, for example, ServerAliveInterval
517 (see below) is set to 15 and ServerAliveCountMax is left at the
518 default, if the server becomes unresponsive, ssh will disconnect
519 after approximately 45 seconds. This option applies to protocol
523 Sets a timeout interval in seconds after which if no data has
524 been received from the server, ssh(1) will send a message through
525 the encrypted channel to request a response from the server. The
526 default is 0, indicating that these messages will not be sent to
527 the server. This option applies to protocol version 2 only.
530 Specifies which smartcard device to use. The argument to this
531 keyword is the device ssh(1) should use to communicate with a
532 smartcard used for storing the user's private RSA key. By
533 default, no device is specified and smartcard support is not
536 StrictHostKeyChecking
537 If this flag is set to ``yes'', ssh(1) will never automatically
538 add host keys to the ~/.ssh/known_hosts file, and refuses to con-
539 nect to hosts whose host key has changed. This provides maximum
540 protection against trojan horse attacks, though it can be annoy-
541 ing when the /etc/ssh/ssh_known_hosts file is poorly maintained
542 or when connections to new hosts are frequently made. This
543 option forces the user to manually add all new hosts. If this
544 flag is set to ``no'', ssh will automatically add new host keys
545 to the user known hosts files. If this flag is set to ``ask'',
546 new host keys will be added to the user known host files only
547 after the user has confirmed that is what they really want to do,
548 and ssh will refuse to connect to hosts whose host key has
549 changed. The host keys of known hosts will be verified automati-
550 cally in all cases. The argument must be ``yes'', ``no'', or
551 ``ask''. The default is ``ask''.
554 Specifies whether the system should send TCP keepalive messages
555 to the other side. If they are sent, death of the connection or
556 crash of one of the machines will be properly noticed. However,
557 this means that connections will die if the route is down tem-
558 porarily, and some people find it annoying.
560 The default is ``yes'' (to send TCP keepalive messages), and the
561 client will notice if the network goes down or the remote host
562 dies. This is important in scripts, and many users want it too.
564 To disable TCP keepalive messages, the value should be set to
567 Tunnel Request tun(4) device forwarding between the client and the
568 server. The argument must be ``yes'', ``point-to-point'' (layer
569 3), ``ethernet'' (layer 2), or ``no''. Specifying ``yes''
570 requests the default tunnel mode, which is ``point-to-point''.
571 The default is ``no''.
574 Specifies the tun(4) devices to open on the client (local_tun)
575 and the server (remote_tun).
577 The argument must be local_tun[:remote_tun]. The devices may be
578 specified by numerical ID or the keyword ``any'', which uses the
579 next available tunnel device. If remote_tun is not specified, it
580 defaults to ``any''. The default is ``any:any''.
583 Specifies whether to use a privileged port for outgoing connec-
584 tions. The argument must be ``yes'' or ``no''. The default is
585 ``no''. If set to ``yes'', ssh(1) must be setuid root. Note
586 that this option must be set to ``yes'' for
587 RhostsRSAAuthentication with older servers.
589 User Specifies the user to log in as. This can be useful when a dif-
590 ferent user name is used on different machines. This saves the
591 trouble of having to remember to give the user name on the com-
595 Specifies a file to use for the user host key database instead of
599 Specifies whether to verify the remote key using DNS and SSHFP
600 resource records. If this option is set to ``yes'', the client
601 will implicitly trust keys that match a secure fingerprint from
602 DNS. Insecure fingerprints will be handled as if this option was
603 set to ``ask''. If this option is set to ``ask'', information on
604 fingerprint match will be displayed, but the user will still need
605 to confirm new host keys according to the StrictHostKeyChecking
606 option. The argument must be ``yes'', ``no'', or ``ask''. The
607 default is ``no''. Note that this option applies to protocol
610 See also VERIFYING HOST KEYS in ssh(1).
613 Specifies the full pathname of the xauth(1) program. The default
614 is /usr/X11R6/bin/xauth.
617 A pattern consists of zero or more non-whitespace characters, '*' (a
618 wildcard that matches zero or more characters), or '?' (a wildcard that
619 matches exactly one character). For example, to specify a set of decla-
620 rations for any host in the ``.co.uk'' set of domains, the following pat-
625 The following pattern would match any host in the 192.168.0.[0-9] network
630 A pattern-list is a comma-separated list of patterns. Patterns within
631 pattern-lists may be negated by preceding them with an exclamation mark
632 ('!'). For example, to allow a key to be used from anywhere within an
633 organisation except from the ``dialup'' pool, the following entry (in
634 authorized_keys) could be used:
636 from="!*.dialup.example.com,*.example.com"
640 This is the per-user configuration file. The format of this file
641 is described above. This file is used by the SSH client.
642 Because of the potential for abuse, this file must have strict
643 permissions: read/write for the user, and not accessible by oth-
647 Systemwide configuration file. This file provides defaults for
648 those values that are not specified in the user's configuration
649 file, and for those users who do not have a configuration file.
650 This file must be world-readable.
656 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
657 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
658 de Raadt and Dug Song removed many bugs, re-added newer features and cre-
659 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
660 versions 1.5 and 2.0.
662 BSD September 25, 1999 BSD