.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.1 2002/06/20 19:56:07 stevesk Exp $
+.\" $OpenBSD: ssh_config.5,v 1.29 2004/03/05 10:53:58 markus Exp $
.Dd September 25, 1999
.Dt SSH_CONFIG 5
.Os
.Nm ssh
obtains configuration data from the following sources in
the following order:
-command line options,
-feature-specific user configuration file(s) (see below),
+.Bl -enum -offset indent -compact
+.It
+command-line options
+.It
user's configuration file
-.Pq Pa $HOME/.ssh/config ,
-and system-wide configuration file
-.Pq Pa /etc/ssh/ssh_config .
-For compatibility with other
-.Nm
-versions, the following feature-specific user configuration files
-will be processed after the command line options but before the user's
-main configuration file, so options that other
-.Nm
-versions may not support don't need to go in the main configuration file:
-.Bl -tag -width Ds
-.It Pa $HOME/.ssh/config.gssapi
-Read if GSSAPI authentication is supported. This is a good place for
-the GssapiAuthentication and GssapiDelegateCredentials options.
-.It Pa $HOME/.ssh/config.krb
-Read if Kerberos authentication is supported. This is a good place
-for the KerberosAuthentication and KerberosTgtPassing options.
-.It Pa $HOME/.ssh/config.afs
-Read if AFS token passing is supported. This is a good place for the
-AfsTokenPassing option.
+.Pq Pa $HOME/.ssh/config
+.It
+GSSAPI configuration file
+.Pq Pa $HOME/.ssh/config.gssapi
+.It
+Kerberos configuration file
+.Pq Pa $HOME/.ssh/config.krb
+.It
+system-wide configuration file
+.Pq Pa /etc/ssh/ssh_config
.El
.Pp
For each parameter, the first obtained value
given after the keyword.
.Ql \&*
and
-.Ql ?
+.Ql \&?
can be used as wildcards in the
patterns.
A single
.Ar hostname
argument given on the command line (i.e., the name is not converted to
a canonicalized host name before matching).
-.It Cm AFSTokenPassing
-Specifies whether to pass AFS tokens to remote host.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-This option applies to protocol version 1 only.
+.It Cm AddressFamily
+Specifies which address family to use when connecting.
+Valid arguments are
+.Dq any ,
+.Dq inet
+(Use IPv4 only) or
+.Dq inet6
+(Use IPv6 only.)
.It Cm BatchMode
If set to
.Dq yes ,
client for interoperability with legacy protocol 1 implementations
that do not support the
.Ar 3des
-cipher. Its use is strongly discouraged due to cryptographic
-weaknesses.
+cipher.
+Its use is strongly discouraged due to cryptographic weaknesses.
The default is
.Dq 3des .
.It Cm Ciphers
in order of preference.
Multiple ciphers must be comma-separated.
The default is
-.Pp
.Bd -literal
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc''
.It Cm ClearAllForwardings
Specifies that all local, remote and dynamic port forwardings
specified in the configuration files or on the command line be
-cleared. This option is primarily useful when used from the
+cleared.
+This option is primarily useful when used from the
.Nm ssh
command line to clear port forwardings set in
configuration files, and is automatically set by
The argument must be an integer.
This may be useful in scripts if the connection sometimes fails.
The default is 1.
+.It Cm ConnectTimeout
+Specifies the timeout (in seconds) used when connecting to the ssh
+server, instead of using the default system TCP timeout.
+This value is used only when the target is down or really unreachable,
+not when it refuses the connection.
.It Cm DynamicForward
Specifies that a TCP/IP port on the local machine be forwarded
over the secure channel, and the application
protocol is then used to determine where to connect to from the
-remote machine. The argument must be a port number.
-Currently the SOCKS4 protocol is supported, and
+remote machine.
+The argument must be a port number.
+Currently the SOCKS4 and SOCKS5 protocols are supported, and
.Nm ssh
-will act as a SOCKS4 server.
+will act as a SOCKS server.
Multiple forwardings may be specified, and
-additional forwardings can be given on the command line. Only
-the superuser can forward privileged ports.
+additional forwardings can be given on the command line.
+Only the superuser can forward privileged ports.
+.It Cm EnableSSHKeysign
+Setting this option to
+.Dq yes
+in the global client configuration file
+.Pa /etc/ssh/ssh_config
+enables the use of the helper program
+.Xr ssh-keysign 8
+during
+.Cm HostbasedAuthentication .
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+This option should be placed in the non-hostspecific section.
+See
+.Xr ssh-keysign 8
+for more information.
.It Cm EscapeChar
Sets the escape character (default:
.Ql ~ ) .
.Dq no .
The default is
.Dq no .
+.Pp
+Agent forwarding should be enabled with caution.
+Users with the ability to bypass file permissions on the remote host
+(for the agent's Unix-domain socket)
+can access the local agent through the forwarded connection.
+An attacker cannot obtain key material from the agent,
+however they can perform operations on the keys that enable them to
+authenticate using the identities loaded into the agent.
.It Cm ForwardX11
Specifies whether X11 connections will be automatically redirected
over the secure channel and
.Dq no .
The default is
.Dq no .
+.Pp
+X11 forwarding should be enabled with caution.
+Users with the ability to bypass file permissions on the remote host
+(for the user's X11 authorization database)
+can access the local X11 display through the forwarded connection.
+An attacker may then be able to perform activities such as keystroke monitoring
+if the
+.Cm ForwardX11Trusted
+option is also enabled.
+.It Cm ForwardX11Trusted
+If the this option is set to
+.Dq yes
+then remote X11 clients will have full access to the original X11 display.
+If this option is set to
+.Dq no
+then remote X11 clients will be considered untrusted and prevented
+from stealing or tampering with data belonging to trusted X11
+clients.
+.Pp
+The default is
+.Dq no .
+.Pp
+See the X11 SECURITY extension specification for full details on
+the restrictions imposed on untrusted clients.
.It Cm GatewayPorts
Specifies whether remote hosts are allowed to connect to local
forwarded ports.
By default,
.Nm ssh
-binds local port forwardings to the loopback address. This
-prevents other remote hosts from connecting to forwarded ports.
+binds local port forwardings to the loopback address.
+This prevents other remote hosts from connecting to forwarded ports.
.Cm GatewayPorts
can be used to specify that
.Nm ssh
Specifies a file to use for the global
host key database instead of
.Pa /etc/ssh/ssh_known_hosts .
-.It Cm GssapiAuthentication
-Specifies whether authentication based on GSSAPI may be used, either using
-the result of a successful key exchange, or using GSSAPI user
-authentication.
+.It Cm GSSAPIAuthentication
+Specifies whether user authentication based on GSSAPI is allowed.
The default is
.Dq yes .
-.It Cm GssapiKeyExchange
+Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIKeyExchange
Specifies whether key exchange based on GSSAPI may be used. When using
GSSAPI key exchange the server need not have a host key.
The default is
.Dq yes .
-.It Cm GssapiDelegateCredentials
-Specifies whether GSSAPI credentials will be delegated (forwarded) to
-the server.
+Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIDelegateCredentials
+Forward (delegate) credentials to the server.
The default is
.Dq yes .
+Note that this option applies to protocol version 2 only.
.It Cm HostbasedAuthentication
Specifies whether to try rhosts based authentication with public key
authentication.
specifications).
.It Cm IdentityFile
Specifies a file from which the user's RSA or DSA authentication identity
-is read. The default is
+is read.
+The default is
.Pa $HOME/.ssh/identity
for protocol version 1, and
.Pa $HOME/.ssh/id_rsa
It is possible to have
multiple identity files specified in configuration files; all these
identities will be tried in sequence.
-.It Cm KeepAlive
-Specifies whether the system should send TCP keepalive messages to the
-other side.
-If they are sent, death of the connection or crash of one
-of the machines will be properly noticed.
-However, this means that
-connections will die if the route is down temporarily, and some people
-find it annoying.
-.Pp
-The default is
-.Dq yes
-(to send keepalives), and the client will notice
-if the network goes down or the remote host dies.
-This is important in scripts, and many users want it too.
-.Pp
-To disable keepalives, the value should be set to
-.Dq no .
-.It Cm KerberosAuthentication
-Specifies whether Kerberos authentication will be used.
+.It Cm IdentitiesOnly
+Specifies that
+.Nm ssh
+should only use the authentication identity files configured in the
+.Nm
+files,
+even if the
+.Nm ssh-agent
+offers more identities.
The argument to this keyword must be
.Dq yes
or
.Dq no .
-.It Cm KerberosTgtPassing
-Specifies whether a Kerberos TGT will be forwarded to the server.
-This will only work if the Kerberos server is actually an AFS kaserver.
-The argument to this keyword must be
-.Dq yes
-or
+This option is intented for situations where
+.Nm ssh-agent
+offers many different identities.
+The default is
.Dq no .
.It Cm LocalForward
Specifies that a TCP/IP port on the local machine be forwarded over
.Nm ssh .
The possible values are:
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
-The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2
-and DEBUG3 each specify higher levels of verbose output.
+The default is INFO.
+DEBUG and DEBUG1 are equivalent.
+DEBUG2 and DEBUG3 each specify higher levels of verbose output.
.It Cm MACs
Specifies the MAC (message authentication code) algorithms
in order of preference.
Default is 22.
.It Cm PreferredAuthentications
Specifies the order in which the client should try protocol 2
-authentication methods. This allows a client to prefer one method (e.g.
+authentication methods.
+This allows a client to prefer one method (e.g.
.Cm keyboard-interactive )
over another method (e.g.
.Cm password )
The default for this option is:
-.Dq hostbased,external-keyx,gssapi,publickey,keyboard-interactive,password .
+.Dq hostbased,external-keyx,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password .
.It Cm Protocol
Specifies the protocol versions
.Nm ssh
Host key management will be done using the
HostName of the host being connected (defaulting to the name typed by
the user).
+Setting the command to
+.Dq none
+disables this option entirely.
Note that
.Cm CheckHostIP
is not available for connects with a proxy command.
Multiple forwardings may be specified, and additional
forwardings can be given on the command line.
Only the superuser can forward privileged ports.
-.It Cm RhostsAuthentication
-Specifies whether to try rhosts based authentication.
-Note that this
-declaration only affects the client side and has no effect whatsoever
-on security.
-Most servers do not permit RhostsAuthentication because it
-is not secure (see
-.Cm RhostsRSAAuthentication ) .
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-This option applies to protocol version 1 only.
.It Cm RhostsRSAAuthentication
Specifies whether to try rhosts based authentication with RSA host
authentication.
The default is
.Dq yes .
Note that this option applies to protocol version 1 only.
+.It Cm ServerAliveInterval
+Sets a timeout interval in seconds after which if no data has been received
+from the server,
+.Nm ssh
+will send a message through the encrypted
+channel to request a response from the server.
+The default
+is 0, indicating that these messages will not be sent to the server.
+This option applies to protocol version 2 only.
+.It Cm ServerAliveCountMax
+Sets the number of server alive messages (see above) which may be
+sent without
+.Nm ssh
+receiving any messages back from the server.
+If this threshold is reached while server alive messages are being sent,
+.Nm ssh
+will disconnect from the server, terminating the session.
+It is important to note that the use of server alive messages is very
+different from
+.Cm TCPKeepAlive
+(below).
+The server alive messages are sent through the encrypted channel
+and therefore will not be spoofable.
+The TCP keepalive option enabled by
+.Cm TCPKeepAlive
+is spoofable.
+The server alive mechanism is valuable when the client or
+server depend on knowing when a connection has become inactive.
+.Pp
+The default value is 3.
+If, for example,
+.Cm ServerAliveInterval
+(above) is set to 15, and
+.Cm ServerAliveCountMax
+is left at the default, if the server becomes unresponsive ssh
+will disconnect after approximately 45 seconds.
.It Cm SmartcardDevice
-Specifies which smartcard device to use. The argument to this keyword is
-the device
+Specifies which smartcard device to use.
+The argument to this keyword is the device
.Nm ssh
should use to communicate with a smartcard used for storing the user's
-private RSA key. By default, no device is specified and smartcard support
-is not activated.
+private RSA key.
+By default, no device is specified and smartcard support is not activated.
.It Cm StrictHostKeyChecking
If this flag is set to
.Dq yes ,
.Dq ask .
The default is
.Dq ask .
+.It Cm TCPKeepAlive
+Specifies whether the system should send TCP keepalive messages to the
+other side.
+If they are sent, death of the connection or crash of one
+of the machines will be properly noticed.
+However, this means that
+connections will die if the route is down temporarily, and some people
+find it annoying.
+.Pp
+The default is
+.Dq yes
+(to send TCP keepalive messages), and the client will notice
+if the network goes down or the remote host dies.
+This is important in scripts, and many users want it too.
+.Pp
+To disable TCP keepalive messages, the value should be set to
+.Dq no .
.It Cm UsePrivilegedPort
Specifies whether to use a privileged port for outgoing connections.
The argument must be
.Dq no .
The default is
.Dq no .
+If set to
+.Dq yes
+.Nm ssh
+must be setuid root.
Note that this option must be set to
.Dq yes
-if
-.Cm RhostsAuthentication
-and
+for
.Cm RhostsRSAAuthentication
-authentications are needed with older servers.
+with older servers.
.It Cm User
Specifies the user to log in as.
This can be useful when a different user name is used on different machines.
Specifies a file to use for the user
host key database instead of
.Pa $HOME/.ssh/known_hosts .
+.It Cm VerifyHostKeyDNS
+Specifies whether to verify the remote key using DNS and SSHFP resource
+records.
+If this option is set to
+.Dq yes ,
+the client will implicitly trust keys that match a secure fingerprint
+from DNS.
+Insecure fingerprints will be handled as if this option was set to
+.Dq ask .
+If this option is set to
+.Dq ask ,
+information on fingerprint match will be displayed, but the user will still
+need to confirm new host keys according to the
+.Cm StrictHostKeyChecking
+option.
+The argument must be
+.Dq yes ,
+.Dq no
+or
+.Dq ask .
+The default is
+.Dq no .
+Note that this option applies to protocol version 2 only.
.It Cm XAuthLocation
-Specifies the location of the
+Specifies the full pathname of the
.Xr xauth 1
program.
The default is
for those users who do not have a configuration file.
This file must be world-readable.
.El
+.Sh SEE ALSO
+.Xr ssh 1
.Sh AUTHORS
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.
created OpenSSH.
Markus Friedl contributed the support for SSH
protocol versions 1.5 and 2.0.
-.Sh SEE ALSO
-.Xr ssh 1
andersk / gssapi-openssh.git / blobdiff