1 | SSH_CONFIG(5) System File Formats Manual SSH_CONFIG(5) |
---|
2 | |
---|
3 | NAME |
---|
4 | ssh_config - OpenSSH SSH client configuration files |
---|
5 | |
---|
6 | SYNOPSIS |
---|
7 | $HOME/.ssh/config |
---|
8 | /etc/ssh/ssh_config |
---|
9 | |
---|
10 | DESCRIPTION |
---|
11 | ssh obtains configuration data from the following sources in the followM-- |
---|
12 | ing order: |
---|
13 | 1. command-line options |
---|
14 | 2. user's configuration file ($HOME/.ssh/config) |
---|
15 | 3. system-wide configuration file (/etc/ssh/ssh_config) |
---|
16 | |
---|
17 | For each parameter, the first obtained value will be used. The configuM-- |
---|
18 | ration files contain sections bracketed by ``Host'' specifications, and |
---|
19 | that section is only applied for hosts that match one of the patterns |
---|
20 | given in the specification. The matched host name is the one given on |
---|
21 | the command line. |
---|
22 | |
---|
23 | Since the first obtained value for each parameter is used, more host-speM-- |
---|
24 | cific declarations should be given near the beginning of the file, and |
---|
25 | general defaults at the end. |
---|
26 | |
---|
27 | The configuration file has the following format: |
---|
28 | |
---|
29 | Empty lines and lines starting with `#' are comments. |
---|
30 | |
---|
31 | Otherwise a line is of the format ``keyword arguments''. Configuration |
---|
32 | options may be separated by whitespace or optional whitespace and exactly |
---|
33 | one `='; the latter format is useful to avoid the need to quote whitesM-- |
---|
34 | pace when specifying configuration options using the ssh, scp and sftp -o |
---|
35 | option. |
---|
36 | |
---|
37 | The possible keywords and their meanings are as follows (note that keyM-- |
---|
38 | words are case-insensitive and arguments are case-sensitive): |
---|
39 | |
---|
40 | Host Restricts the following declarations (up to the next Host keyM-- |
---|
41 | word) to be only for those hosts that match one of the patterns |
---|
42 | given after the keyword. `*' and `'? can be used as wildcards |
---|
43 | in the patterns. A single `*' as a pattern can be used to proM-- |
---|
44 | vide global defaults for all hosts. The host is the hostname |
---|
45 | argument given on the command line (i.e., the name is not conM-- |
---|
46 | verted to a canonicalized host name before matching). |
---|
47 | |
---|
48 | AFSTokenPassing |
---|
49 | Specifies whether to pass AFS tokens to remote host. The arguM-- |
---|
50 | ment to this keyword must be ``yes'' or ``no''. This option |
---|
51 | applies to protocol version 1 only. |
---|
52 | |
---|
53 | BatchMode |
---|
54 | If set to ``yes'', passphrase/password querying will be disabled. |
---|
55 | This option is useful in scripts and other batch jobs where no |
---|
56 | user is present to supply the password. The argument must be |
---|
57 | ``yes'' or ``no''. The default is ``no''. |
---|
58 | |
---|
59 | BindAddress |
---|
60 | Specify the interface to transmit from on machines with multiple |
---|
61 | interfaces or aliased addresses. Note that this option does not |
---|
62 | work if UsePrivilegedPort is set to ``yes''. |
---|
63 | |
---|
64 | ChallengeResponseAuthentication |
---|
65 | Specifies whether to use challenge response authentication. The |
---|
66 | argument to this keyword must be ``yes'' or ``no''. The default |
---|
67 | is ``yes''. |
---|
68 | |
---|
69 | CheckHostIP |
---|
70 | If this flag is set to ``yes'', ssh will additionally check the |
---|
71 | host IP address in the known_hosts file. This allows ssh to |
---|
72 | detect if a host key changed due to DNS spoofing. If the option |
---|
73 | is set to ``no'', the check will not be executed. The default is |
---|
74 | ``yes''. |
---|
75 | |
---|
76 | Cipher Specifies the cipher to use for encrypting the session in protoM-- |
---|
77 | col version 1. Currently, ``blowfish'', ``3des'', and ``des'' |
---|
78 | are supported. des is only supported in the ssh client for |
---|
79 | interoperability with legacy protocol 1 implementations that do |
---|
80 | not support the 3des cipher. Its use is strongly discouraged due |
---|
81 | to cryptographic weaknesses. The default is ``3des''. |
---|
82 | |
---|
83 | Ciphers |
---|
84 | Specifies the ciphers allowed for protocol version 2 in order of |
---|
85 | preference. Multiple ciphers must be comma-separated. The |
---|
86 | default is |
---|
87 | |
---|
88 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
---|
89 | aes192-cbc,aes256-cbc'' |
---|
90 | |
---|
91 | ClearAllForwardings |
---|
92 | Specifies that all local, remote and dynamic port forwardings |
---|
93 | specified in the configuration files or on the command line be |
---|
94 | cleared. This option is primarily useful when used from the ssh |
---|
95 | command line to clear port forwardings set in configuration |
---|
96 | files, and is automatically set by scp(1) and sftp(1). The arguM-- |
---|
97 | ment must be ``yes'' or ``no''. The default is ``no''. |
---|
98 | |
---|
99 | Compression |
---|
100 | Specifies whether to use compression. The argument must be |
---|
101 | ``yes'' or ``no''. The default is ``no''. |
---|
102 | |
---|
103 | CompressionLevel |
---|
104 | Specifies the compression level to use if compression is enabled. |
---|
105 | The argument must be an integer from 1 (fast) to 9 (slow, best). |
---|
106 | The default level is 6, which is good for most applications. The |
---|
107 | meaning of the values is the same as in gzip(1). Note that this |
---|
108 | option applies to protocol version 1 only. |
---|
109 | |
---|
110 | ConnectionAttempts |
---|
111 | Specifies the number of tries (one per second) to make before |
---|
112 | exiting. The argument must be an integer. This may be useful in |
---|
113 | scripts if the connection sometimes fails. The default is 1. |
---|
114 | |
---|
115 | DynamicForward |
---|
116 | Specifies that a TCP/IP port on the local machine be forwarded |
---|
117 | over the secure channel, and the application protocol is then |
---|
118 | used to determine where to connect to from the remote machine. |
---|
119 | The argument must be a port number. Currently the SOCKS4 protoM-- |
---|
120 | col is supported, and ssh will act as a SOCKS4 server. Multiple |
---|
121 | forwardings may be specified, and additional forwardings can be |
---|
122 | given on the command line. Only the superuser can forward priviM-- |
---|
123 | leged ports. |
---|
124 | |
---|
125 | EscapeChar |
---|
126 | Sets the escape character (default: `~'). The escape character |
---|
127 | can also be set on the command line. The argument should be a |
---|
128 | single character, `^' followed by a letter, or ``none'' to disM-- |
---|
129 | able the escape character entirely (making the connection transM-- |
---|
130 | parent for binary data). |
---|
131 | |
---|
132 | ForwardAgent |
---|
133 | Specifies whether the connection to the authentication agent (if |
---|
134 | any) will be forwarded to the remote machine. The argument must |
---|
135 | be ``yes'' or ``no''. The default is ``no''. |
---|
136 | |
---|
137 | Agent forwarding should be enabled with caution. Users with the |
---|
138 | ability to bypass file permissions on the remote host (for the |
---|
139 | agent's Unix-domain socket) can access the local agent through |
---|
140 | the forwarded connection. An attacker cannot obtain key material |
---|
141 | from the agent, however they can perform operations on the keys |
---|
142 | that enable them to authenticate using the identities loaded into |
---|
143 | the agent. |
---|
144 | |
---|
145 | ForwardX11 |
---|
146 | Specifies whether X11 connections will be automatically rediM-- |
---|
147 | rected over the secure channel and DISPLAY set. The argument |
---|
148 | must be ``yes'' or ``no''. The default is ``no''. |
---|
149 | |
---|
150 | X11 forwarding should be enabled with caution. Users with the |
---|
151 | ability to bypass file permissions on the remote host (for the |
---|
152 | user's X authorization database) can access the local X11 display |
---|
153 | through the forwarded connection. An attacker may then be able |
---|
154 | to perform activities such as keystroke monitoring. |
---|
155 | |
---|
156 | GatewayPorts |
---|
157 | Specifies whether remote hosts are allowed to connect to local |
---|
158 | forwarded ports. By default, ssh binds local port forwardings to |
---|
159 | the loopback address. This prevents other remote hosts from conM-- |
---|
160 | necting to forwarded ports. GatewayPorts can be used to specify |
---|
161 | that ssh should bind local port forwardings to the wildcard |
---|
162 | address, thus allowing remote hosts to connect to forwarded |
---|
163 | ports. The argument must be ``yes'' or ``no''. The default is |
---|
164 | ``no''. |
---|
165 | |
---|
166 | GlobalKnownHostsFile |
---|
167 | Specifies a file to use for the global host key database instead |
---|
168 | of /etc/ssh/ssh_known_hosts. |
---|
169 | |
---|
170 | HostbasedAuthentication |
---|
171 | Specifies whether to try rhosts based authentication with public |
---|
172 | key authentication. The argument must be ``yes'' or ``no''. The |
---|
173 | default is ``no''. This option applies to protocol version 2 |
---|
174 | only and is similar to RhostsRSAAuthentication. |
---|
175 | |
---|
176 | HostKeyAlgorithms |
---|
177 | Specifies the protocol version 2 host key algorithms that the |
---|
178 | client wants to use in order of preference. The default for this |
---|
179 | option is: ``ssh-rsa,ssh-dss''. |
---|
180 | |
---|
181 | HostKeyAlias |
---|
182 | Specifies an alias that should be used instead of the real host |
---|
183 | name when looking up or saving the host key in the host key |
---|
184 | database files. This option is useful for tunneling ssh connecM-- |
---|
185 | tions or for multiple servers running on a single host. |
---|
186 | |
---|
187 | HostName |
---|
188 | Specifies the real host name to log into. This can be used to |
---|
189 | specify nicknames or abbreviations for hosts. Default is the |
---|
190 | name given on the command line. Numeric IP addresses are also |
---|
191 | permitted (both on the command line and in HostName specificaM-- |
---|
192 | tions). |
---|
193 | |
---|
194 | IdentityFile |
---|
195 | Specifies a file from which the user's RSA or DSA authentication |
---|
196 | identity is read. The default is $HOME/.ssh/identity for protocol |
---|
197 | version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for protoM-- |
---|
198 | col version 2. Additionally, any identities represented by the |
---|
199 | authentication agent will be used for authentication. The file |
---|
200 | name may use the tilde syntax to refer to a user's home direcM-- |
---|
201 | tory. It is possible to have multiple identity files specified |
---|
202 | in configuration files; all these identities will be tried in |
---|
203 | sequence. |
---|
204 | |
---|
205 | KeepAlive |
---|
206 | Specifies whether the system should send TCP keepalive messages |
---|
207 | to the other side. If they are sent, death of the connection or |
---|
208 | crash of one of the machines will be properly noticed. However, |
---|
209 | this means that connections will die if the route is down temM-- |
---|
210 | porarily, and some people find it annoying. |
---|
211 | |
---|
212 | The default is ``yes'' (to send keepalives), and the client will |
---|
213 | notice if the network goes down or the remote host dies. This is |
---|
214 | important in scripts, and many users want it too. |
---|
215 | |
---|
216 | To disable keepalives, the value should be set to ``no''. |
---|
217 | |
---|
218 | KerberosAuthentication |
---|
219 | Specifies whether Kerberos authentication will be used. The |
---|
220 | argument to this keyword must be ``yes'' or ``no''. |
---|
221 | |
---|
222 | KerberosTgtPassing |
---|
223 | Specifies whether a Kerberos TGT will be forwarded to the server. |
---|
224 | This will only work if the Kerberos server is actually an AFS |
---|
225 | kaserver. The argument to this keyword must be ``yes'' or |
---|
226 | ``no''. |
---|
227 | |
---|
228 | LocalForward |
---|
229 | Specifies that a TCP/IP port on the local machine be forwarded |
---|
230 | over the secure channel to the specified host and port from the |
---|
231 | remote machine. The first argument must be a port number, and |
---|
232 | the second must be host:port. IPv6 addresses can be specified |
---|
233 | with an alternative syntax: host/port. Multiple forwardings may |
---|
234 | be specified, and additional forwardings can be given on the comM-- |
---|
235 | mand line. Only the superuser can forward privileged ports. |
---|
236 | |
---|
237 | LogLevel |
---|
238 | Gives the verbosity level that is used when logging messages from |
---|
239 | ssh. The possible values are: QUIET, FATAL, ERROR, INFO, VERM-- |
---|
240 | BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. |
---|
241 | DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify |
---|
242 | higher levels of verbose output. |
---|
243 | |
---|
244 | MACs Specifies the MAC (message authentication code) algorithms in |
---|
245 | order of preference. The MAC algorithm is used in protocol verM-- |
---|
246 | sion 2 for data integrity protection. Multiple algorithms must |
---|
247 | be comma-separated. The default is |
---|
248 | ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''. |
---|
249 | |
---|
250 | NoHostAuthenticationForLocalhost |
---|
251 | This option can be used if the home directory is shared across |
---|
252 | machines. In this case localhost will refer to a different |
---|
253 | machine on each of the machines and the user will get many warnM-- |
---|
254 | ings about changed host keys. However, this option disables host |
---|
255 | authentication for localhost. The argument to this keyword must |
---|
256 | be ``yes'' or ``no''. The default is to check the host key for |
---|
257 | localhost. |
---|
258 | |
---|
259 | NumberOfPasswordPrompts |
---|
260 | Specifies the number of password prompts before giving up. The |
---|
261 | argument to this keyword must be an integer. Default is 3. |
---|
262 | |
---|
263 | PasswordAuthentication |
---|
264 | Specifies whether to use password authentication. The argument |
---|
265 | to this keyword must be ``yes'' or ``no''. The default is |
---|
266 | ``yes''. |
---|
267 | |
---|
268 | Port Specifies the port number to connect on the remote host. Default |
---|
269 | is 22. |
---|
270 | |
---|
271 | PreferredAuthentications |
---|
272 | Specifies the order in which the client should try protocol 2 |
---|
273 | authentication methods. This allows a client to prefer one method |
---|
274 | (e.g. keyboard-interactive) over another method (e.g. password) |
---|
275 | The default for this option is: |
---|
276 | ``hostbased,publickey,keyboard-interactive,password''. |
---|
277 | |
---|
278 | Protocol |
---|
279 | Specifies the protocol versions ssh should support in order of |
---|
280 | preference. The possible values are ``1'' and ``2''. Multiple |
---|
281 | versions must be comma-separated. The default is ``2,1''. This |
---|
282 | means that ssh tries version 2 and falls back to version 1 if |
---|
283 | version 2 is not available. |
---|
284 | |
---|
285 | ProxyCommand |
---|
286 | Specifies the command to use to connect to the server. The comM-- |
---|
287 | mand string extends to the end of the line, and is executed with |
---|
288 | /bin/sh. In the command string, `%h' will be substituted by the |
---|
289 | host name to connect and `%p' by the port. The command can be |
---|
290 | basically anything, and should read from its standard input and |
---|
291 | write to its standard output. It should eventually connect an |
---|
292 | sshd(8) server running on some machine, or execute sshd -i someM-- |
---|
293 | where. Host key management will be done using the HostName of |
---|
294 | the host being connected (defaulting to the name typed by the |
---|
295 | user). Note that CheckHostIP is not available for connects with |
---|
296 | a proxy command. |
---|
297 | |
---|
298 | PubkeyAuthentication |
---|
299 | Specifies whether to try public key authentication. The argument |
---|
300 | to this keyword must be ``yes'' or ``no''. The default is |
---|
301 | ``yes''. This option applies to protocol version 2 only. |
---|
302 | |
---|
303 | RemoteForward |
---|
304 | Specifies that a TCP/IP port on the remote machine be forwarded |
---|
305 | over the secure channel to the specified host and port from the |
---|
306 | local machine. The first argument must be a port number, and the |
---|
307 | second must be host:port. IPv6 addresses can be specified with |
---|
308 | an alternative syntax: host/port. Multiple forwardings may be |
---|
309 | specified, and additional forwardings can be given on the command |
---|
310 | line. Only the superuser can forward privileged ports. |
---|
311 | |
---|
312 | RhostsAuthentication |
---|
313 | Specifies whether to try rhosts based authentication. Note that |
---|
314 | this declaration only affects the client side and has no effect |
---|
315 | whatsoever on security. Most servers do not permit RhostsAuthenM-- |
---|
316 | tication because it is not secure (see RhostsRSAAuthentication). |
---|
317 | The argument to this keyword must be ``yes'' or ``no''. The |
---|
318 | default is ``no''. This option applies to protocol version 1 |
---|
319 | only and requires ssh to be setuid root and UsePrivilegedPort to |
---|
320 | be set to ``yes''. |
---|
321 | |
---|
322 | RhostsRSAAuthentication |
---|
323 | Specifies whether to try rhosts based authentication with RSA |
---|
324 | host authentication. The argument must be ``yes'' or ``no''. |
---|
325 | The default is ``no''. This option applies to protocol version 1 |
---|
326 | only and requires ssh to be setuid root. |
---|
327 | |
---|
328 | RSAAuthentication |
---|
329 | Specifies whether to try RSA authentication. The argument to |
---|
330 | this keyword must be ``yes'' or ``no''. RSA authentication will |
---|
331 | only be attempted if the identity file exists, or an authenticaM-- |
---|
332 | tion agent is running. The default is ``yes''. Note that this |
---|
333 | option applies to protocol version 1 only. |
---|
334 | |
---|
335 | SmartcardDevice |
---|
336 | Specifies which smartcard device to use. The argument to this |
---|
337 | keyword is the device ssh should use to communicate with a smartM-- |
---|
338 | card used for storing the user's private RSA key. By default, no |
---|
339 | device is specified and smartcard support is not activated. |
---|
340 | |
---|
341 | StrictHostKeyChecking |
---|
342 | If this flag is set to ``yes'', ssh will never automatically add |
---|
343 | host keys to the $HOME/.ssh/known_hosts file, and refuses to conM-- |
---|
344 | nect to hosts whose host key has changed. This provides maximum |
---|
345 | protection against trojan horse attacks, however, can be annoying |
---|
346 | when the /etc/ssh/ssh_known_hosts file is poorly maintained, or |
---|
347 | connections to new hosts are frequently made. This option forces |
---|
348 | the user to manually add all new hosts. If this flag is set to |
---|
349 | ``no'', ssh will automatically add new host keys to the user |
---|
350 | known hosts files. If this flag is set to ``ask'', new host keys |
---|
351 | will be added to the user known host files only after the user |
---|
352 | has confirmed that is what they really want to do, and ssh will |
---|
353 | refuse to connect to hosts whose host key has changed. The host |
---|
354 | keys of known hosts will be verified automatically in all cases. |
---|
355 | The argument must be ``yes'', ``no'' or ``ask''. The default is |
---|
356 | ``ask''. |
---|
357 | |
---|
358 | UsePrivilegedPort |
---|
359 | Specifies whether to use a privileged port for outgoing connecM-- |
---|
360 | tions. The argument must be ``yes'' or ``no''. The default is |
---|
361 | ``no''. If set to ``yes'' ssh must be setuid root. Note that |
---|
362 | this option must be set to ``yes'' if RhostsAuthentication and |
---|
363 | RhostsRSAAuthentication authentications are needed with older |
---|
364 | servers. |
---|
365 | |
---|
366 | User Specifies the user to log in as. This can be useful when a difM-- |
---|
367 | ferent user name is used on different machines. This saves the |
---|
368 | trouble of having to remember to give the user name on the comM-- |
---|
369 | mand line. |
---|
370 | |
---|
371 | UserKnownHostsFile |
---|
372 | Specifies a file to use for the user host key database instead of |
---|
373 | $HOME/.ssh/known_hosts. |
---|
374 | |
---|
375 | XAuthLocation |
---|
376 | Specifies the full pathname of the xauth(1) program. The default |
---|
377 | is /usr/X11R6/bin/xauth. |
---|
378 | |
---|
379 | FILES |
---|
380 | $HOME/.ssh/config |
---|
381 | This is the per-user configuration file. The format of this file |
---|
382 | is described above. This file is used by the ssh client. This |
---|
383 | file does not usually contain any sensitive information, but the |
---|
384 | recommended permissions are read/write for the user, and not |
---|
385 | accessible by others. |
---|
386 | |
---|
387 | /etc/ssh/ssh_config |
---|
388 | Systemwide configuration file. This file provides defaults for |
---|
389 | those values that are not specified in the user's configuration |
---|
390 | file, and for those users who do not have a configuration file. |
---|
391 | This file must be world-readable. |
---|
392 | |
---|
393 | AUTHORS |
---|
394 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
---|
395 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
---|
396 | de Raadt and Dug Song removed many bugs, re-added newer features and creM-- |
---|
397 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol |
---|
398 | versions 1.5 and 2.0. |
---|
399 | |
---|
400 | SEE ALSO |
---|
401 | ssh(1) |
---|
402 | |
---|
403 | BSD September 25, 1999 BSD |
---|