unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OSF1-V5.1-alpha)
Page:
Section:
Apropos / Subsearch:
optional field



ssh2_config(4)						       ssh2_config(4)



NAME

  ssh2_config -	Configuration file for the Secure Shell	client

DESCRIPTION

  The configuration file for the Secure	Shell client reads configuration data
  from the following sources, in this order:

   1.  the system's global configuration file (/etc/ssh2/ssh2_config)

   2.  the user's configuration	file ($HOME/.ssh2/ssh2_config)

   3.  the command-line	options

  For each keyword, the	last obtained value will be effective.

  A configuration file can begin with metaconfiguration	information (i.e.,
  information about the	configuration language).

  If the configuration file starts with	a line matching	the following egrep
  style	regex

       #.*VERSION[ \t\f]+[0-9]+.[0-9]+

  it is	interpreted as the version of the configuration	style.	If this	line
  is not found,	the version is 1.0.

  The version string can be followed by	one or more metaconfiguration parame-
  ters.	 The lines have	to start with the pound	(#) sign, and they have	to
  match	the following egrep style regex:

       #[# \t]+[A-Z0-9]+[ \t]+.*

  Parsing of metaconfiguration directives stops	with the first non-recognized
  line.

  Version 1.1 and later	recognize the following	parameter:

  REGEX-SYNTAX
	  Denotes the regex syntax used	to parse the configuration file. The
	  value	can be egrep, ssh, zsh_fileglob	or traditional.	 The
	  zsh_fileglob and traditional arguments are synonymous. The argu-
	  ments	are not	case-sensitive.

  In the ssh2_config file, expression denotes the start	of a per-host confi-
  guration block,  where expression is an arbitrary string which distin-
  guishes this block from others.  The expression can contain wildcards, and
  will be compared with	the hostname obtained from the command line. If	it
  matches, the block will be evaluated.	 Evaluation  stops at the next
  expression statement.	 If more than one match	is  found, all will be
  evaluated and	the last obtained values for parameters	will be	effective.
  The expression does not have to be a real hostname, as long as the
  expression block contains a Host configuration parameter that	defines	the
  real hostname.

  Empty	lines and lines	starting with the pound	(#) sign are ignored as	com-
  ments.

  Otherwise a line is of the format keyword arguments.

  It is	possible to enclose arguments in quotes, and use the standard C	con-
  vention. Configuration files are case	sensitive, but keywords	are not	case
  sensitive. Illegal keywords will prevent Secure Shell	clients	from starting
  successfully.

  Following are	the ssh2_config	file keywords:

  AllowedAuthentications
      Specifies	the authentication methods that	the client uses. Supported
      authentication methods are keyboard-interactive, password, publickey,
      kerberos-2@ssh.com, kerberos-tgt-2@ssh.com, and hostbased. The default
      is publickey, keyboard-interactive, password.

      You can specify any or all authentication	methods. Use a comma-
      separated	list when specifying more than one argument. The order in
      which authentication methods are listed is the order in which they are
      used. The	least interactive methods should be placed first in this
      list. The	first successful authentication	is the one used.

  AuthenticationSuccessMsg
      Specifies	whether	to display the Authentication successful message
      after authentication has completed successfully. This is intended	to
      prevent malicious	servers	from getting information from the user by
      displaying additional password or	passphrase prompts. The	argument must
      be yes or	no. The	default	is yes.

  BatchMode
      Specifies	whether	password or passphrase querying	is disabled. This
      keyword is useful	in scripts and other batch jobs	where you don't	have
      a	user to	supply the password. If	the StrictHostKeyChecking keyword is
      set to ask, the client assumes a no answer because user input is not
      accepted when invoked with BatchMode yes.	 The argument must be yes or
      no. The default is no.

  Ciphers
      Specifies	the ciphers to use for encrypting the session. Supported
      ciphers are aes, blowfish, twofish, arcfour, cast, des, and 3des.	Argu-
      ments for	this keyword are any and anystd, that allow only standard
      ciphers and none,	and anycipher that allows any available	cipher or
      excludes non-encrypting cipher mode none but allows all others.  The
      AnyStdCipher argument is the same	as the AnyCipher argument, but
      includes only those ciphers mentioned in the IETF-SecSH-draft (exclud-
      ing none). The AnyStdCipher argument is the default.

  ClearAllForwardings
      Specifies	whether	to clear all defined remote and	local forwarded
      ports. The argument must be yes or no. The scp command always automati-
      cally clears all forwarded ports.

  Compression
      Specifies	whether	to use compression. The	argument must be yes or	no.

  DebugLogFile
      Writes debug messages to specified file.	(Remember to enable debug-
      ging.)

  DefaultDomain
      Determines the system name if only the base part of the system name is
      available	by normal means	(for example, those used by the	hostname com-
      mand).  The results are appended to the found system name, if the	sys-
      tem name returned	does not contain a dot ( . ). This keyword is only
      useful if	set in the global configuration	file.

  DontReadStdin
      Specifies	whether	to redirects input from	/dev/null. The argument	must
      be yes or	no. The	default	is no.

  EkInitString
      Specifies	the initialization string for the external key provider	for
      accessing	external keys for user authentication. See ssh-
      externalkeys(4) for more information.  This feature is only available
      when external key	support	is included in the software.

  EkProvider
      Specifies	the external key provider for accessing	external keys for
      user authentication. See ssh-externalkeys(4) for more information. This
      feature is only available	when external key support is included in the
      software.

  EnforceSecureRutils
      Specifies	whether	or not to configure the	suite of r* commands (rsh,
      rlogin, and rcp commands and applications	that use the rcmd function)
      to automatically use a Secure Shell connection.

      The argument must	be yes or no.  The default is no in the
      /etc/ssh2/ssh2_config file and yes in the	$HOME/.ssh2/ssh2_config	file
      of the root account.

      For this option to work, TcpForwarding must be enabled on	the remote
      Secure Shell server.

  EscapeChar
      Sets the escape character. The escape character can also be set on the
      command line.  The argument should be a single character;	for example,
      ^	followed by a letter or	none to	disable	the escape character entirely
      (making the connection transparent for binary data). The default is
      escape character is the tilde (~).

  ForcePTTYAllocation
      Specifies	whether	to allocate a terminal if a command is given. The
      argument must be yes or no. The default is no.

  ForwardAgent
      Specifies	whether	the connection to the authentication agent (if any)
      will be forwarded	to the remote system. The argument must	be yes or no.
      The default is yes.

  ForwardX11
      Specifies	whether	X11 connections	will be	automatically redirected over
      the secure channel and if	the DISPLAY environment	variable will be set.
      The argument must	be yes or no. The default is yes.

  GatewayPorts
      Specifies	whether	remote hosts can connect to locally forwarded ports.
      The argument must	be yes or no. The default is no.

  GoBackground
      Specifies	whether	the client will	go to the background after authenti-
      cation is	complete and the forwardings  established. This	is useful if
      the ssh2 client is going to ask for passwords or passphrases, but	the
      user wants it in the background. The argument must be yes, no, or
      oneshot.	With oneshot, the  client behaves the same way as with the
      ssh2 -f o	command. The default is	no.

  Host
      Specifies	the host name to log into. With	the expression format, this
      can be used to specify nicknames or abbreviations	for hosts. The
      default is the name given	on the command line. Numeric IP	addresses are
      also permitted (both on the command line and in HostName specifica-
      tions).

      The expression format denotes the	start of a per-host configuration
      block, where expression is an arbitrary string that distinguishes	this
      block from others. The expressionformat can contain wildcards. The
      expression will be compared with the host	name obtained from the
      command-line, and	if it matches, the block will be evaluated. Evalua-
      tion stops at the	next expression: format. If more than one match	is
      found, the last obtained value will be effective.	Note that the expres-
      sion format does not have	to be a	real host name,	as long	as the
      expression block contains	a host configuration parameter,	where the
      real host	name to	connect	is defined.

  HostCA ca-certificate
      Specifies	the Certificate	Authority (CA) certificate (in binary or PEM
      [base64] format) to be used when authenticating remote hosts.  The cer-
      tificate received	from the host must be issued by	the specified CA and
      must contain an alternate, fully qualified domain	name.  If the remote
      host name	is not fully qualified,	the domain specified by	the Default-
      Domain configuration option  is appended to it before comparing it to
      certificate alternate names.  If no CA certificates are specified	in
      the configuration	file, the protocol tries to do key exchange with
      ordinary public keys.  Otherwise certificates are	preferred.  Multiple
      CAs are permitted.

  HostCANoCRLs ca-certificate
      Similar to HostCA, but disables Certificate Revolation List (CRL)
      checking for the given ca-certificate.

  IdentityFile
      Specifies	the name of the	user's identification file.

  KeepAlive
      Specifies	whether	the keepalive messages are sent.  If they are sent,
      the loss of a connection or crash	of a system will be noticed.  How-
      ever, this means that connections	will die if the	route is down tem-
      porarily.	 The argument must be yes or no. The default is	yes (send
      keepalive	messages). To disable keepalive	messages, set the value	to no
      in both the server and the client	configuration files.

  LdapServers ldap://server.domain-name:389
      CRLs are automatically retrieved from the	CRL distribution point
      defined in the certificate to be checked if the point exists.  Other-
      wise, the	comma-separated	server list given by the LdapServers keyword
      is used.	If intermediate	CA certificates	are needed in certificate
      validity checking, this keyword must be used or retrieving the certifi-
      cates will fail.

  LocalForward
      Specifies	that a TCP/IP port on the local	system be forwarded over the
      secure channel to	the given host:port on the remote system. The argu-
      ment format is port:host:hostport. See the -L option in ssh2(1) for
      information on forward definitions.

  MACs
      Specifies	the Message Authentication Code	(MAC) algorithm	to use for
      data integrity verification.  Supported MAC algorithms are hmac-sha1,
      hmac-sha1-96, hmac-md5, hmac-md5-96, hmac-ripemd160, and hmac-
      ripemd160-96, of which hmac-sha1,	hmac-sha1-96, hmac-md5 and hmac-md5-
      96 are included in all distributions.

      Use a comma-separated list when specifying more than one MAC. Special
      arguments	to this	keyword	are Any, Anystd, none, AnyMac and AnyStdMac.
      The Any argument allows all MACs including none; the AnyStd argument
      allows only those	mentioned in the IETF-SecSH draft and none; the	none
      argument forbids any use of MACs;	the AnyMac and AnyStdMac arguments
      are analogous to the first two cases but exclude none. The AnyStdMac
      argument is the default.

  NoDelay
      Specifies	whether	to enable the TCP_NODELAY socket option	. The argu-
      ment must	be yes or no. The default is no.

  NumberofPasswordPrompts
      Specifies	the number of password prompts permitted. The argument must
      be an integer.  The default value	is 3. The server also limits the
      number of	attempts, so setting this value	larger than the	server's
      value does not have any effect.

  PasswordPrompt
      Specifies	the password prompt displayed when users log in. Variables %U
      and %H can be used to give the user's login name and host	name, respec-
      tively.

  Port
      Specifies	the port number	on the remote host.  The default is port
      number 22.

  QuietMode
      Supresses	all warnings and diagnostic messages, except fatal errors.
      The argument must	be yes or no. The default is no.

  RandomSeedFile
      Specifies	the name of the	user's random seed file. The default is	the
      /$HOME/.ssh2/random_seed file, where $HOME is the	name of	the user's
      account.

  RekeyIntervalSeconds
      Specifies	the number of seconds between key exchanges. The default is
      3600 seconds (one	hour). A value of 0 (zero) turns rekey requests	off.
      This does	not prevent the	server from requesting rekeys. Other servers
      might not	have rekey capabilities	implemented correctly, and might not
      support rekey requests. This means that they might terminate the con-
      nection or the server might crash.

  RemoteForward
      Specifies	that a TCP/IP port on the remote system	be forwarded over the
      secure channel to	the specified host:port	from the local system.	The
      argument format is port:host:hostport.  See the -R option	in the
      ssh2(1) file for more information	on forward definitions.

  SetRemoteEnv
      Specifies	an environment variable	to set in the server before executing
      a	shell or command.  The value should be of the form VAR=val.  The val
      field can	 be empty.  You	can specify multiple variables by using	mul-
      tiple options. Setting the variable can fail on the server end. See
      SettableEnvironmentVars in sshd2_config(4).


				       Note

	 This feature is not implemented in Secure Shell versions 3.0.x	and
	 earlier.

  Ssh1AgentCompatibility
      Specifies	whether	to forward an SSH1 agent connection. Arguments are
      none, traditional, and ssh2.  With the none (default) value, the SSH1
      agent connection is not forwarded.  With the traditional value, the
      SSH1 agent connection is forwarded transparently.	 The traditional
      value can	always be used,	but it constitutes a security risk, because
      the agent	does not get the information about the forwarding path.	 The
      ssh2 value makes SSH1 agent forwarding similar to	SSH2 agent forward-
      ing, and with this mode the agent	gets the information about the agent
      forwarding path. The ssh2	value can be used only if you use ssh-agent2
      in SSH1 compatibility mode.

  Ssh1Compatibility
      Specifies	whether	to use	SSH1 compatibility codes. The argument must
      be yes or	no. With this option, ssh1 executes if the server supports
      only SSH 1.x protocols.

  Ssh1InternalEmulation
      Specifies	whether	to use SSH1 internal emulation code.  With this
      option, ssh2 can communicate with	ssh1 servers, without using an exter-
      nal ssh1 program.	 The argument must be yes or no. (This option
      currently	is not supported.)

  Ssh1MaskPasswordLength
      Specifies	whether	to send	SSH_MSG_IGNORE packets to mask the password
      length.  The argument must be yes	or no.	The default is yes.

  Ssh1Path
      Specifies	the path to the	ssh1 client, which is executed if the server
      supports only SSH	1.x protocols.	The arguments for ssh2 are passed to
      the ssh1 client.

  SocksServer
      Overrides	the value of the SSH_SOCKS_SERVER environment variable.

  StrictHostKeyChecking
      Specifies	whether	the client automatically adds new host keys to the
      $HOME/.ssh2/hostkeys file.  The argument must be yes, ask, or no.	The
      default is ask.

      If the argument is set to	yes, new host keys will	never be added
      automatically to the hostkeys file, and connections will be refused to
      hosts whose host key has changed.	This provides maximum protection
      against man-in-the-middle	attacks. The yes argument forces the user to
      add all new hosts	manually.

      If the argument is set to	ask, new hosts will be added automatically to
      the hostkeys file	after the user confirms	this is	the intent. If a host
      key changes, you will be asked if	you want to accept the new host	key
      as the only valid	one.

      If the argument is set to	no, new	hosts will be added automatically to
      the hostkeys file	without	prompting the user.

      The host keys of known hosts will	be verified automatically.

  TrustX11Applications
      Specifies	whether	the Xserver should treat X11 client applications as
      trusted (with forwarding X11).  Treating X11 applications	as  untrusted
      avoids the problem that logging into a compromised host	      allows
      applications on that host	to detect any input operations via the for-
      warded X11 connection.  You should only use this option if the X client
      program you are running needs exceptional	privileges for the Xserver.
      The ssh1 internal	emulation mode does not	support	the SECURITY exten-
      sion. The	argument must be yes or	no.  The default is no.

  User
      Specifies	the user name.	This keyword can be useful if you have a dif-
      ferent user name on different systems. You do not	have to	specify	the
      user name	on the command line.

  UseSocks5
      Use SOCKS5 instead of SOCKS4 when	connecting to remote host. You have
      to set SocksServer to a meaningful value.	 The argument must be yes or
      no.  The default is no (i.e., use	SOCKS4).

  VerboseMode
      Specifies	whether	debugging messages are displayed. The argument must
      be yes or	no. The	default	is no.

  XauthPath
      Specifies	where to find the xauth	program. The default is	set by the
      configure	script.

LEGAL NOTICES

  SSH is a registered trademark	of SSH Communication Security Ltd.

SEE ALSO

  Commands: ssh2(1)

  Files: ssh_certificates(4)