source: trunk/third/openssh/ssh_config.0 @ 18759

Revision 18759, 20.5 KB checked in by zacheiss, 22 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r18758, which included commits to RCS files with non-trunk default branches.
Line 
1SSH_CONFIG(5)             System File Formats Manual             SSH_CONFIG(5)
2
3NAME
4     ssh_config - OpenSSH SSH client configuration files
5
6SYNOPSIS
7     $HOME/.ssh/config
8     /etc/ssh/ssh_config
9
10DESCRIPTION
11     ssh obtains configuration data from the following sources in the followM--
12     ing order:
13           1.   command-line options
14           2.   user's configuration file ($HOME/.ssh/config)
15           3.   system-wide configuration file (/etc/ssh/ssh_config)
16
17     For each parameter, the first obtained value will be used.  The configuM--
18     ration files contain sections bracketed by ``Host'' specifications, and
19     that section is only applied for hosts that match one of the patterns
20     given in the specification.  The matched host name is the one given on
21     the command line.
22
23     Since the first obtained value for each parameter is used, more host-speM--
24     cific declarations should be given near the beginning of the file, and
25     general defaults at the end.
26
27     The configuration file has the following format:
28
29     Empty lines and lines starting with `#' are comments.
30
31     Otherwise a line is of the format ``keyword arguments''.  Configuration
32     options may be separated by whitespace or optional whitespace and exactly
33     one `='; the latter format is useful to avoid the need to quote whitesM--
34     pace when specifying configuration options using the ssh, scp and sftp -o
35     option.
36
37     The possible keywords and their meanings are as follows (note that keyM--
38     words are case-insensitive and arguments are case-sensitive):
39
40     Host    Restricts the following declarations (up to the next Host keyM--
41             word) to be only for those hosts that match one of the patterns
42             given after the keyword.  `*' and `'?  can be used as wildcards
43             in the patterns.  A single `*' as a pattern can be used to proM--
44             vide global defaults for all hosts.  The host is the hostname
45             argument given on the command line (i.e., the name is not conM--
46             verted to a canonicalized host name before matching).
47
48     AFSTokenPassing
49             Specifies whether to pass AFS tokens to remote host.  The arguM--
50             ment to this keyword must be ``yes'' or ``no''.  This option
51             applies to protocol version 1 only.
52
53     BatchMode
54             If set to ``yes'', passphrase/password querying will be disabled.
55             This option is useful in scripts and other batch jobs where no
56             user is present to supply the password.  The argument must be
57             ``yes'' or ``no''.  The default is ``no''.
58
59     BindAddress
60             Specify the interface to transmit from on machines with multiple
61             interfaces or aliased addresses.  Note that this option does not
62             work if UsePrivilegedPort is set to ``yes''.
63
64     ChallengeResponseAuthentication
65             Specifies whether to use challenge response authentication.  The
66             argument to this keyword must be ``yes'' or ``no''.  The default
67             is ``yes''.
68
69     CheckHostIP
70             If this flag is set to ``yes'', ssh will additionally check the
71             host IP address in the known_hosts file.  This allows ssh to
72             detect if a host key changed due to DNS spoofing.  If the option
73             is set to ``no'', the check will not be executed.  The default is
74             ``yes''.
75
76     Cipher  Specifies the cipher to use for encrypting the session in protoM--
77             col version 1.  Currently, ``blowfish'', ``3des'', and ``des''
78             are supported.  des is only supported in the ssh client for
79             interoperability with legacy protocol 1 implementations that do
80             not support the 3des cipher.  Its use is strongly discouraged due
81             to cryptographic weaknesses.  The default is ``3des''.
82
83     Ciphers
84             Specifies the ciphers allowed for protocol version 2 in order of
85             preference.  Multiple ciphers must be comma-separated.  The
86             default is
87
88               ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
89                 aes192-cbc,aes256-cbc''
90
91     ClearAllForwardings
92             Specifies that all local, remote and dynamic port forwardings
93             specified in the configuration files or on the command line be
94             cleared.  This option is primarily useful when used from the ssh
95             command line to clear port forwardings set in configuration
96             files, and is automatically set by scp(1) and sftp(1).  The arguM--
97             ment must be ``yes'' or ``no''.  The default is ``no''.
98
99     Compression
100             Specifies whether to use compression.  The argument must be
101             ``yes'' or ``no''.  The default is ``no''.
102
103     CompressionLevel
104             Specifies the compression level to use if compression is enabled.
105             The argument must be an integer from 1 (fast) to 9 (slow, best).
106             The default level is 6, which is good for most applications.  The
107             meaning of the values is the same as in gzip(1).  Note that this
108             option applies to protocol version 1 only.
109
110     ConnectionAttempts
111             Specifies the number of tries (one per second) to make before
112             exiting.  The argument must be an integer.  This may be useful in
113             scripts if the connection sometimes fails.  The default is 1.
114
115     DynamicForward
116             Specifies that a TCP/IP port on the local machine be forwarded
117             over the secure channel, and the application protocol is then
118             used to determine where to connect to from the remote machine.
119             The argument must be a port number.  Currently the SOCKS4 protoM--
120             col is supported, and ssh will act as a SOCKS4 server.  Multiple
121             forwardings may be specified, and additional forwardings can be
122             given on the command line.  Only the superuser can forward priviM--
123             leged ports.
124
125     EscapeChar
126             Sets the escape character (default: `~').  The escape character
127             can also be set on the command line.  The argument should be a
128             single character, `^' followed by a letter, or ``none'' to disM--
129             able the escape character entirely (making the connection transM--
130             parent for binary data).
131
132     ForwardAgent
133             Specifies whether the connection to the authentication agent (if
134             any) will be forwarded to the remote machine.  The argument must
135             be ``yes'' or ``no''.  The default is ``no''.
136
137             Agent forwarding should be enabled with caution.  Users with the
138             ability to bypass file permissions on the remote host (for the
139             agent's Unix-domain socket) can access the local agent through
140             the forwarded connection.  An attacker cannot obtain key material
141             from the agent, however they can perform operations on the keys
142             that enable them to authenticate using the identities loaded into
143             the agent.
144
145     ForwardX11
146             Specifies whether X11 connections will be automatically rediM--
147             rected over the secure channel and DISPLAY set.  The argument
148             must be ``yes'' or ``no''.  The default is ``no''.
149
150             X11 forwarding should be enabled with caution.  Users with the
151             ability to bypass file permissions on the remote host (for the
152             user's X authorization database) can access the local X11 display
153             through the forwarded connection.  An attacker may then be able
154             to perform activities such as keystroke monitoring.
155
156     GatewayPorts
157             Specifies whether remote hosts are allowed to connect to local
158             forwarded ports.  By default, ssh binds local port forwardings to
159             the loopback address.  This prevents other remote hosts from conM--
160             necting to forwarded ports.  GatewayPorts can be used to specify
161             that ssh should bind local port forwardings to the wildcard
162             address, thus allowing remote hosts to connect to forwarded
163             ports.  The argument must be ``yes'' or ``no''.  The default is
164             ``no''.
165
166     GlobalKnownHostsFile
167             Specifies a file to use for the global host key database instead
168             of /etc/ssh/ssh_known_hosts.
169
170     HostbasedAuthentication
171             Specifies whether to try rhosts based authentication with public
172             key authentication.  The argument must be ``yes'' or ``no''.  The
173             default is ``no''.  This option applies to protocol version 2
174             only and is similar to RhostsRSAAuthentication.
175
176     HostKeyAlgorithms
177             Specifies the protocol version 2 host key algorithms that the
178             client wants to use in order of preference.  The default for this
179             option is: ``ssh-rsa,ssh-dss''.
180
181     HostKeyAlias
182             Specifies an alias that should be used instead of the real host
183             name when looking up or saving the host key in the host key
184             database files.  This option is useful for tunneling ssh connecM--
185             tions or for multiple servers running on a single host.
186
187     HostName
188             Specifies the real host name to log into.  This can be used to
189             specify nicknames or abbreviations for hosts.  Default is the
190             name given on the command line.  Numeric IP addresses are also
191             permitted (both on the command line and in HostName specificaM--
192             tions).
193
194     IdentityFile
195             Specifies a file from which the user's RSA or DSA authentication
196             identity is read. The default is $HOME/.ssh/identity for protocol
197             version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for protoM--
198             col version 2.  Additionally, any identities represented by the
199             authentication agent will be used for authentication.  The file
200             name may use the tilde syntax to refer to a user's home direcM--
201             tory.  It is possible to have multiple identity files specified
202             in configuration files; all these identities will be tried in
203             sequence.
204
205     KeepAlive
206             Specifies whether the system should send TCP keepalive messages
207             to the other side.  If they are sent, death of the connection or
208             crash of one of the machines will be properly noticed.  However,
209             this means that connections will die if the route is down temM--
210             porarily, and some people find it annoying.
211
212             The default is ``yes'' (to send keepalives), and the client will
213             notice if the network goes down or the remote host dies.  This is
214             important in scripts, and many users want it too.
215
216             To disable keepalives, the value should be set to ``no''.
217
218     KerberosAuthentication
219             Specifies whether Kerberos authentication will be used.  The
220             argument to this keyword must be ``yes'' or ``no''.
221
222     KerberosTgtPassing
223             Specifies whether a Kerberos TGT will be forwarded to the server.
224             This will only work if the Kerberos server is actually an AFS
225             kaserver.  The argument to this keyword must be ``yes'' or
226             ``no''.
227
228     LocalForward
229             Specifies that a TCP/IP port on the local machine be forwarded
230             over the secure channel to the specified host and port from the
231             remote machine.  The first argument must be a port number, and
232             the second must be host:port.  IPv6 addresses can be specified
233             with an alternative syntax: host/port.  Multiple forwardings may
234             be specified, and additional forwardings can be given on the comM--
235             mand line.  Only the superuser can forward privileged ports.
236
237     LogLevel
238             Gives the verbosity level that is used when logging messages from
239             ssh.  The possible values are: QUIET, FATAL, ERROR, INFO, VERM--
240             BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.  The default is INFO.
241             DEBUG and DEBUG1 are equivalent.  DEBUG2 and DEBUG3 each specify
242             higher levels of verbose output.
243
244     MACs    Specifies the MAC (message authentication code) algorithms in
245             order of preference.  The MAC algorithm is used in protocol verM--
246             sion 2 for data integrity protection.  Multiple algorithms must
247             be comma-separated.  The default is
248             ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''.
249
250     NoHostAuthenticationForLocalhost
251             This option can be used if the home directory is shared across
252             machines.  In this case localhost will refer to a different
253             machine on each of the machines and the user will get many warnM--
254             ings about changed host keys.  However, this option disables host
255             authentication for localhost.  The argument to this keyword must
256             be ``yes'' or ``no''.  The default is to check the host key for
257             localhost.
258
259     NumberOfPasswordPrompts
260             Specifies the number of password prompts before giving up.  The
261             argument to this keyword must be an integer.  Default is 3.
262
263     PasswordAuthentication
264             Specifies whether to use password authentication.  The argument
265             to this keyword must be ``yes'' or ``no''.  The default is
266             ``yes''.
267
268     Port    Specifies the port number to connect on the remote host.  Default
269             is 22.
270
271     PreferredAuthentications
272             Specifies the order in which the client should try protocol 2
273             authentication methods. This allows a client to prefer one method
274             (e.g.  keyboard-interactive) over another method (e.g.  password)
275             The default for this option is:
276             ``hostbased,publickey,keyboard-interactive,password''.
277
278     Protocol
279             Specifies the protocol versions ssh should support in order of
280             preference.  The possible values are ``1'' and ``2''.  Multiple
281             versions must be comma-separated.  The default is ``2,1''.  This
282             means that ssh tries version 2 and falls back to version 1 if
283             version 2 is not available.
284
285     ProxyCommand
286             Specifies the command to use to connect to the server.  The comM--
287             mand string extends to the end of the line, and is executed with
288             /bin/sh.  In the command string, `%h' will be substituted by the
289             host name to connect and `%p' by the port.  The command can be
290             basically anything, and should read from its standard input and
291             write to its standard output.  It should eventually connect an
292             sshd(8) server running on some machine, or execute sshd -i someM--
293             where.  Host key management will be done using the HostName of
294             the host being connected (defaulting to the name typed by the
295             user).  Note that CheckHostIP is not available for connects with
296             a proxy command.
297
298     PubkeyAuthentication
299             Specifies whether to try public key authentication.  The argument
300             to this keyword must be ``yes'' or ``no''.  The default is
301             ``yes''.  This option applies to protocol version 2 only.
302
303     RemoteForward
304             Specifies that a TCP/IP port on the remote machine be forwarded
305             over the secure channel to the specified host and port from the
306             local machine.  The first argument must be a port number, and the
307             second must be host:port.  IPv6 addresses can be specified with
308             an alternative syntax: host/port.  Multiple forwardings may be
309             specified, and additional forwardings can be given on the command
310             line.  Only the superuser can forward privileged ports.
311
312     RhostsAuthentication
313             Specifies whether to try rhosts based authentication.  Note that
314             this declaration only affects the client side and has no effect
315             whatsoever on security.  Most servers do not permit RhostsAuthenM--
316             tication because it is not secure (see RhostsRSAAuthentication).
317             The argument to this keyword must be ``yes'' or ``no''.  The
318             default is ``no''.  This option applies to protocol version 1
319             only and requires ssh to be setuid root and UsePrivilegedPort to
320             be set to ``yes''.
321
322     RhostsRSAAuthentication
323             Specifies whether to try rhosts based authentication with RSA
324             host authentication.  The argument must be ``yes'' or ``no''.
325             The default is ``no''.  This option applies to protocol version 1
326             only and requires ssh to be setuid root.
327
328     RSAAuthentication
329             Specifies whether to try RSA authentication.  The argument to
330             this keyword must be ``yes'' or ``no''.  RSA authentication will
331             only be attempted if the identity file exists, or an authenticaM--
332             tion agent is running.  The default is ``yes''.  Note that this
333             option applies to protocol version 1 only.
334
335     SmartcardDevice
336             Specifies which smartcard device to use. The argument to this
337             keyword is the device ssh should use to communicate with a smartM--
338             card used for storing the user's private RSA key. By default, no
339             device is specified and smartcard support is not activated.
340
341     StrictHostKeyChecking
342             If this flag is set to ``yes'', ssh will never automatically add
343             host keys to the $HOME/.ssh/known_hosts file, and refuses to conM--
344             nect to hosts whose host key has changed.  This provides maximum
345             protection against trojan horse attacks, however, can be annoying
346             when the /etc/ssh/ssh_known_hosts file is poorly maintained, or
347             connections to new hosts are frequently made.  This option forces
348             the user to manually add all new hosts.  If this flag is set to
349             ``no'', ssh will automatically add new host keys to the user
350             known hosts files.  If this flag is set to ``ask'', new host keys
351             will be added to the user known host files only after the user
352             has confirmed that is what they really want to do, and ssh will
353             refuse to connect to hosts whose host key has changed.  The host
354             keys of known hosts will be verified automatically in all cases.
355             The argument must be ``yes'', ``no'' or ``ask''.  The default is
356             ``ask''.
357
358     UsePrivilegedPort
359             Specifies whether to use a privileged port for outgoing connecM--
360             tions.  The argument must be ``yes'' or ``no''.  The default is
361             ``no''.  If set to ``yes'' ssh must be setuid root.  Note that
362             this option must be set to ``yes'' if RhostsAuthentication and
363             RhostsRSAAuthentication authentications are needed with older
364             servers.
365
366     User    Specifies the user to log in as.  This can be useful when a difM--
367             ferent user name is used on different machines.  This saves the
368             trouble of having to remember to give the user name on the comM--
369             mand line.
370
371     UserKnownHostsFile
372             Specifies a file to use for the user host key database instead of
373             $HOME/.ssh/known_hosts.
374
375     XAuthLocation
376             Specifies the full pathname of the xauth(1) program.  The default
377             is /usr/X11R6/bin/xauth.
378
379FILES
380     $HOME/.ssh/config
381             This is the per-user configuration file.  The format of this file
382             is described above.  This file is used by the ssh client.  This
383             file does not usually contain any sensitive information, but the
384             recommended permissions are read/write for the user, and not
385             accessible by others.
386
387     /etc/ssh/ssh_config
388             Systemwide configuration file.  This file provides defaults for
389             those values that are not specified in the user's configuration
390             file, and for those users who do not have a configuration file.
391             This file must be world-readable.
392
393AUTHORS
394     OpenSSH is a derivative of the original and free ssh 1.2.12 release by
395     Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
396     de Raadt and Dug Song removed many bugs, re-added newer features and creM--
397     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
398     versions 1.5 and 2.0.
399
400SEE ALSO
401     ssh(1)
402
403BSD                           September 25, 1999                           BSD
Note: See TracBrowser for help on using the repository browser.