X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/d73a67d744a7cbe0d40b6ac60482f22f62b9ba02..c4f51837081fc00e2c67c70da918a948590cd392:/ssh_config.5 diff --git a/ssh_config.5 b/ssh_config.5 index 7f3c7064..05581ece 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.22 2003/10/11 08:24:08 markus Exp $ +.\" $OpenBSD: ssh_config.5,v 1.29 2004/03/05 10:53:58 markus Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -186,7 +186,6 @@ Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. The default is -.Pp .Bd -literal ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc'' @@ -260,6 +259,7 @@ or .Dq no . The default is .Dq no . +This option should be placed in the non-hostspecific section. See .Xr ssh-keysign 8 for more information. @@ -350,9 +350,7 @@ Specifies a file to use for the global host key database instead of .Pa /etc/ssh/ssh_known_hosts . .It Cm GSSAPIAuthentication -Specifies whether authentication based on GSSAPI may be used, either using -the result of a successful key exchange, or using GSSAPI user -authentication. +Specifies whether user authentication based on GSSAPI is allowed. The default is .Dq no . Note that this option applies to protocol version 2 only. @@ -408,22 +406,23 @@ syntax to refer to a user's home directory. It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence. -.It Cm KeepAlive -Specifies whether the system should send TCP keepalive messages to the -other side. -If they are sent, death of the connection or crash of one -of the machines will be properly noticed. -However, this means that -connections will die if the route is down temporarily, and some people -find it annoying. -.Pp -The default is +.It Cm IdentitiesOnly +Specifies that +.Nm ssh +should only use the authentication identity files configured in the +.Nm +files, +even if the +.Nm ssh-agent +offers more identities. +The argument to this keyword must be .Dq yes -(to send keepalives), and the client will notice -if the network goes down or the remote host dies. -This is important in scripts, and many users want it too. -.Pp -To disable keepalives, the value should be set to +or +.Dq no . +This option is intented for situations where +.Nm ssh-agent +offers many different identities. +The default is .Dq no . .It Cm LocalForward Specifies that a TCP/IP port on the local machine be forwarded over @@ -571,6 +570,42 @@ running. The default is .Dq yes . Note that this option applies to protocol version 1 only. +.It Cm ServerAliveInterval +Sets a timeout interval in seconds after which if no data has been received +from the server, +.Nm ssh +will send a message through the encrypted +channel to request a response from the server. +The default +is 0, indicating that these messages will not be sent to the server. +This option applies to protocol version 2 only. +.It Cm ServerAliveCountMax +Sets the number of server alive messages (see above) which may be +sent without +.Nm ssh +receiving any messages back from the server. +If this threshold is reached while server alive messages are being sent, +.Nm ssh +will disconnect from the server, terminating the session. +It is important to note that the use of server alive messages is very +different from +.Cm TCPKeepAlive +(below). +The server alive messages are sent through the encrypted channel +and therefore will not be spoofable. +The TCP keepalive option enabled by +.Cm TCPKeepAlive +is spoofable. +The server alive mechanism is valuable when the client or +server depend on knowing when a connection has become inactive. +.Pp +The default value is 3. +If, for example, +.Cm ServerAliveInterval +(above) is set to 15, and +.Cm ServerAliveCountMax +is left at the default, if the server becomes unresponsive ssh +will disconnect after approximately 45 seconds. .It Cm SmartcardDevice Specifies which smartcard device to use. The argument to this keyword is the device @@ -613,6 +648,23 @@ or .Dq ask . The default is .Dq ask . +.It Cm TCPKeepAlive +Specifies whether the system should send TCP keepalive messages to the +other side. +If they are sent, death of the connection or crash of one +of the machines will be properly noticed. +However, this means that +connections will die if the route is down temporarily, and some people +find it annoying. +.Pp +The default is +.Dq yes +(to send TCP keepalive messages), and the client will notice +if the network goes down or the remote host dies. +This is important in scripts, and many users want it too. +.Pp +To disable TCP keepalive messages, the value should be set to +.Dq no . .It Cm UsePrivilegedPort Specifies whether to use a privileged port for outgoing connections. The argument must be @@ -642,6 +694,23 @@ host key database instead of .It Cm VerifyHostKeyDNS Specifies whether to verify the remote key using DNS and SSHFP resource records. +If this option is set to +.Dq yes , +the client will implicitly trust keys that match a secure fingerprint +from DNS. +Insecure fingerprints will be handled as if this option was set to +.Dq ask . +If this option is set to +.Dq ask , +information on fingerprint match will be displayed, but the user will still +need to confirm new host keys according to the +.Cm StrictHostKeyChecking +option. +The argument must be +.Dq yes , +.Dq no +or +.Dq ask . The default is .Dq no . Note that this option applies to protocol version 2 only.