ssh2_config - Configuration file for the Secure Shell client
The configuration file for the Secure Shell client reads configuration data
from the following sources, in this order:
1. the system's global configuration file (/etc/ssh2/ssh2_config)
2. the user's configuration file ($HOME/.ssh2/ssh2_config)
3. the command-line options
For each keyword, the last obtained value will be effective.
A configuration file can begin with metaconfiguration information (i.e.,
information about the configuration language).
If the configuration file starts with a line matching the following egrep
it is interpreted as the version of the configuration style. If this line
is not found, the version is 1.0.
The version string can be followed by one or more metaconfiguration parame-
ters. The lines have to start with the pound (#) sign, and they have to
match the following egrep style regex:
#[# \t]+[A-Z0-9]+[ \t]+.*
Parsing of metaconfiguration directives stops with the first non-recognized
Version 1.1 and later recognize the following parameter:
Denotes the regex syntax used to parse the configuration file. The
value can be egrep, ssh, zsh_fileglob or traditional. The
zsh_fileglob and traditional arguments are synonymous. The argu-
ments are not case-sensitive.
In the ssh2_config file, expression denotes the start of a per-host confi-
guration block, where expression is an arbitrary string which distin-
guishes this block from others. The expression can contain wildcards, and
will be compared with the hostname obtained from the command line. If it
matches, the block will be evaluated. Evaluation stops at the next
expression statement. If more than one match is found, all will be
evaluated and the last obtained values for parameters will be effective.
The expression does not have to be a real hostname, as long as the
expression block contains a Host configuration parameter that defines the
Empty lines and lines starting with the pound (#) sign are ignored as com-
Otherwise a line is of the format keyword arguments.
It is possible to enclose arguments in quotes, and use the standard C con-
vention. Configuration files are case sensitive, but keywords are not case
sensitive. Illegal keywords will prevent Secure Shell clients from starting
Following are the ssh2_config file keywords:
Specifies the authentication methods that the client uses. Supported
authentication methods are keyboard-interactive, password, publickey,
firstname.lastname@example.org, email@example.com, and hostbased. The default
is publickey, keyboard-interactive, password.
You can specify any or all authentication methods. Use a comma-
separated list when specifying more than one argument. The order in
which authentication methods are listed is the order in which they are
used. The least interactive methods should be placed first in this
list. The first successful authentication is the one used.
Specifies whether to display the Authentication successful message
after authentication has completed successfully. This is intended to
prevent malicious servers from getting information from the user by
displaying additional password or passphrase prompts. The argument must
be yes or no. The default is yes.
Specifies whether password or passphrase querying is disabled. This
keyword is useful in scripts and other batch jobs where you don't have
a user to supply the password. If the StrictHostKeyChecking keyword is
set to ask, the client assumes a no answer because user input is not
accepted when invoked with BatchMode yes. The argument must be yes or
no. The default is no.
Specifies the ciphers to use for encrypting the session. Supported
ciphers are aes, blowfish, twofish, arcfour, cast, des, and 3des. Argu-
ments for this keyword are any and anystd, that allow only standard
ciphers and none, and anycipher that allows any available cipher or
excludes non-encrypting cipher mode none but allows all others. The
AnyStdCipher argument is the same as the AnyCipher argument, but
includes only those ciphers mentioned in the IETF-SecSH-draft (exclud-
ing none). The AnyStdCipher argument is the default.
Specifies whether to clear all defined remote and local forwarded
ports. The argument must be yes or no. The scp command always automati-
cally clears all forwarded ports.
Specifies whether to use compression. The argument must be yes or no.
Writes debug messages to specified file. (Remember to enable debug-
Determines the system name if only the base part of the system name is
available by normal means (for example, those used by the hostname com-
mand). The results are appended to the found system name, if the sys-
tem name returned does not contain a dot ( . ). This keyword is only
useful if set in the global configuration file.
Specifies whether to redirects input from /dev/null. The argument must
be yes or no. The default is no.
Specifies the initialization string for the external key provider for
accessing external keys for user authentication. See ssh-
externalkeys(4) for more information. This feature is only available
when external key support is included in the software.
Specifies the external key provider for accessing external keys for
user authentication. See ssh-externalkeys(4) for more information. This
feature is only available when external key support is included in the
Specifies whether or not to configure the suite of r* commands (rsh,
rlogin, and rcp commands and applications that use the rcmd function)
to automatically use a Secure Shell connection.
The argument must be yes or no. The default is no in the
/etc/ssh2/ssh2_config file and yes in the $HOME/.ssh2/ssh2_config file
of the root account.
For this option to work, TcpForwarding must be enabled on the remote
Secure Shell server.
Sets the escape character. The escape character can also be set on the
command line. The argument should be a single character; for example,
^ followed by a letter or none to disable the escape character entirely
(making the connection transparent for binary data). The default is
escape character is the tilde (~).
Specifies whether to allocate a terminal if a command is given. The
argument must be yes or no. The default is no.
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote system. The argument must be yes or no.
The default is yes.
Specifies whether X11 connections will be automatically redirected over
the secure channel and if the DISPLAY environment variable will be set.
The argument must be yes or no. The default is yes.
Specifies whether remote hosts can connect to locally forwarded ports.
The argument must be yes or no. The default is no.
Specifies whether the client will go to the background after authenti-
cation is complete and the forwardings established. This is useful if
the ssh2 client is going to ask for passwords or passphrases, but the
user wants it in the background. The argument must be yes, no, or
oneshot. With oneshot, the client behaves the same way as with the
ssh2 -f o command. The default is no.
Specifies the host name to log into. With the expression format, this
can be used to specify nicknames or abbreviations for hosts. The
default is the name given on the command line. Numeric IP addresses are
also permitted (both on the command line and in HostName specifica-
The expression format denotes the start of a per-host configuration
block, where expression is an arbitrary string that distinguishes this
block from others. The expressionformat can contain wildcards. The
expression will be compared with the host name obtained from the
command-line, and if it matches, the block will be evaluated. Evalua-
tion stops at the next expression: format. If more than one match is
found, the last obtained value will be effective. Note that the expres-
sion format does not have to be a real host name, as long as the
expression block contains a host configuration parameter, where the
real host name to connect is defined.
Specifies the Certificate Authority (CA) certificate (in binary or PEM
[base64] format) to be used when authenticating remote hosts. The cer-
tificate received from the host must be issued by the specified CA and
must contain an alternate, fully qualified domain name. If the remote
host name is not fully qualified, the domain specified by the Default-
Domain configuration option is appended to it before comparing it to
certificate alternate names. If no CA certificates are specified in
the configuration file, the protocol tries to do key exchange with
ordinary public keys. Otherwise certificates are preferred. Multiple
CAs are permitted.
Similar to HostCA, but disables Certificate Revolation List (CRL)
checking for the given ca-certificate.
Specifies the name of the user's identification file.
Specifies whether the keepalive messages are sent. If they are sent,
the loss of a connection or crash of a system will be noticed. How-
ever, this means that connections will die if the route is down tem-
porarily. The argument must be yes or no. The default is yes (send
keepalive messages). To disable keepalive messages, set the value to no
in both the server and the client configuration files.
CRLs are automatically retrieved from the CRL distribution point
defined in the certificate to be checked if the point exists. Other-
wise, the comma-separated server list given by the LdapServers keyword
is used. If intermediate CA certificates are needed in certificate
validity checking, this keyword must be used or retrieving the certifi-
cates will fail.
Specifies that a TCP/IP port on the local system be forwarded over the
secure channel to the given host:port on the remote system. The argu-
ment format is port:host:hostport. See the -L option in ssh2(1) for
information on forward definitions.
Specifies the Message Authentication Code (MAC) algorithm to use for
data integrity verification. Supported MAC algorithms are hmac-sha1,
hmac-sha1-96, hmac-md5, hmac-md5-96, hmac-ripemd160, and hmac-
ripemd160-96, of which hmac-sha1, hmac-sha1-96, hmac-md5 and hmac-md5-
96 are included in all distributions.
Use a comma-separated list when specifying more than one MAC. Special
arguments to this keyword are Any, Anystd, none, AnyMac and AnyStdMac.
The Any argument allows all MACs including none; the AnyStd argument
allows only those mentioned in the IETF-SecSH draft and none; the none
argument forbids any use of MACs; the AnyMac and AnyStdMac arguments
are analogous to the first two cases but exclude none. The AnyStdMac
argument is the default.
Specifies whether to enable the TCP_NODELAY socket option . The argu-
ment must be yes or no. The default is no.
Specifies the number of password prompts permitted. The argument must
be an integer. The default value is 3. The server also limits the
number of attempts, so setting this value larger than the server's
value does not have any effect.
Specifies the password prompt displayed when users log in. Variables %U
and %H can be used to give the user's login name and host name, respec-
Specifies the port number on the remote host. The default is port
Supresses all warnings and diagnostic messages, except fatal errors.
The argument must be yes or no. The default is no.
Specifies the name of the user's random seed file. The default is the
/$HOME/.ssh2/random_seed file, where $HOME is the name of the user's
Specifies the number of seconds between key exchanges. The default is
3600 seconds (one hour). A value of 0 (zero) turns rekey requests off.
This does not prevent the server from requesting rekeys. Other servers
might not have rekey capabilities implemented correctly, and might not
support rekey requests. This means that they might terminate the con-
nection or the server might crash.
Specifies that a TCP/IP port on the remote system be forwarded over the
secure channel to the specified host:port from the local system. The
argument format is port:host:hostport. See the -R option in the
ssh2(1) file for more information on forward definitions.
Specifies an environment variable to set in the server before executing
a shell or command. The value should be of the form VAR=val. The val
field can be empty. You can specify multiple variables by using mul-
tiple options. Setting the variable can fail on the server end. See
SettableEnvironmentVars in sshd2_config(4).
This feature is not implemented in Secure Shell versions 3.0.x and
Specifies whether to forward an SSH1 agent connection. Arguments are
none, traditional, and ssh2. With the none (default) value, the SSH1
agent connection is not forwarded. With the traditional value, the
SSH1 agent connection is forwarded transparently. The traditional
value can always be used, but it constitutes a security risk, because
the agent does not get the information about the forwarding path. The
ssh2 value makes SSH1 agent forwarding similar to SSH2 agent forward-
ing, and with this mode the agent gets the information about the agent
forwarding path. The ssh2 value can be used only if you use ssh-agent2
in SSH1 compatibility mode.
Specifies whether to use SSH1 compatibility codes. The argument must
be yes or no. With this option, ssh1 executes if the server supports
only SSH 1.x protocols.
Specifies whether to use SSH1 internal emulation code. With this
option, ssh2 can communicate with ssh1 servers, without using an exter-
nal ssh1 program. The argument must be yes or no. (This option
currently is not supported.)
Specifies whether to send SSH_MSG_IGNORE packets to mask the password
length. The argument must be yes or no. The default is yes.
Specifies the path to the ssh1 client, which is executed if the server
supports only SSH 1.x protocols. The arguments for ssh2 are passed to
the ssh1 client.
Overrides the value of the SSH_SOCKS_SERVER environment variable.
Specifies whether the client automatically adds new host keys to the
$HOME/.ssh2/hostkeys file. The argument must be yes, ask, or no. The
default is ask.
If the argument is set to yes, new host keys will never be added
automatically to the hostkeys file, and connections will be refused to
hosts whose host key has changed. This provides maximum protection
against man-in-the-middle attacks. The yes argument forces the user to
add all new hosts manually.
If the argument is set to ask, new hosts will be added automatically to
the hostkeys file after the user confirms this is the intent. If a host
key changes, you will be asked if you want to accept the new host key
as the only valid one.
If the argument is set to no, new hosts will be added automatically to
the hostkeys file without prompting the user.
The host keys of known hosts will be verified automatically.
Specifies whether the Xserver should treat X11 client applications as
trusted (with forwarding X11). Treating X11 applications as untrusted
avoids the problem that logging into a compromised host allows
applications on that host to detect any input operations via the for-
warded X11 connection. You should only use this option if the X client
program you are running needs exceptional privileges for the Xserver.
The ssh1 internal emulation mode does not support the SECURITY exten-
sion. The argument must be yes or no. The default is no.
Specifies the user name. This keyword can be useful if you have a dif-
ferent user name on different systems. You do not have to specify the
user name on the command line.
Use SOCKS5 instead of SOCKS4 when connecting to remote host. You have
to set SocksServer to a meaningful value. The argument must be yes or
no. The default is no (i.e., use SOCKS4).
Specifies whether debugging messages are displayed. The argument must
be yes or no. The default is no.
Specifies where to find the xauth program. The default is set by the
SSH is a registered trademark of SSH Communication Security Ltd.