unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

ssh_config(4)                    File Formats                    ssh_config(4)



NAME
       ssh_config - ssh configuration file

SYNOPSIS
       /etc/ssh/ssh_config

       $HOME/.ssh/config

DESCRIPTION
       The first ssh_config path, above, provides the system-wide defaults for
       ssh(1). The second version is user-specific defaults for ssh.

       ssh obtains configuration data from  the  following  sources  (in  this
       order):    command    line    options,    user's   configuration   file
       ($HOME/.ssh/config),     and     system-wide     configuration     file
       (/etc/ssh/ssh_config).  For  each  parameter,  the first obtained value
       will be used. The configuration files  contain  sections  bracketed  by
       Host  specifications,  and  that section is applied only for hosts that
       match one of the patterns given in the specification. The matched  host
       name is the one given on the command line.

       Since  the  first  obtained value for each parameter is used, host-spe-
       cific declarations should be given near the beginning of the file,  and
       general defaults at the end.

       For each parameter, the first obtained value will be used. The configu-
       ration files contain sections bracketed  by  "Host"  specifications.  A
       given  section is applied only for hosts that match one of the patterns
       given in the specification. The matched host name is the one  given  on
       the command line.

       Because the first obtained value for each parameter is used, more host-
       specific declarations should be given near the beginning  of  the  file
       and general defaults at the end.

       The configuration file has the following format and syntax:

         o  Empty lines and lines starting with # are comments.

         o  Non-commented lines are of the form:


            keyword arguments

         o  Configuration  options  can be separated by whitespace or optional
            whitespace and exactly one equal sign. The  latter  format  allows
            you to avoid the need to quote whitespace when specifying configu-
            ration options using the -o option to ssh, scp, and sftp.


       The possible keywords and their meanings are listed  below.  Note  that
       keywords are case-insensitive and arguments are case-sensitive.

       Host

           Restricts  the following declarations (up to the next Host keyword)
           to be only for those hosts that match one  of  the  patterns  given
           after  the  keyword. An asterisk (*) and a question mark (?) can be
           used as wildcards in the patterns. A single asterisk as  a  pattern
           can  be  used to provide global defaults for all hosts. The host is
           the host name argument given on the command line (that is, the name
           is not converted to a canonicalized host name before matching).



       BatchMode

           The  argument must be yes or no. If set to yes, passphrase/password
           querying will be disabled. This option is  useful  in  scripts  and
           other batch jobs where you have no user to supply the password.



       BindAddress

           Specify  the  interface  to transmit from on machines with multiple
           interfaces or aliased addresses. Note that  this  option  does  not
           work if UsePrivilegedPort is set to yes.



       CheckHostIP

           If this flag is set to yes, ssh will additionally check the host IP
           address in the known_hosts file. This allows ssh  to  detect  if  a
           host  key  changed due to DNS spoofing. If the option is set to no,
           the check will not be executed.



       Cipher

           Specifies the cipher to use for encrypting the session in  protocol
           version 1; blowfish and 3des are the only valid values.



       Ciphers

           Specifies  the  ciphers  allowed for protocol version 2 in order of
           preference. Multiple ciphers must be comma-separated.  The  default
           is:


           aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc



       ClearAllForwardings

           Specifies  that  all  local,  remote,  and dynamic port forwardings
           specified in the configuration files or  on  the  command  line  be
           cleared.  This  option  is  primarily useful when used from the ssh
           command line to clear port forwardings set in  configuration  files
           and  is  automatically set by scp(1) and sftp(1). The argument must
           be yes or no. The default is no.



       Compression

           Specifies whether to use compression. The argument must be  yes  or
           no. Defaults to no.



       CompressionLevel

           Specifies  the  compression level to use if compression is enabled.
           The argument must be an integer from 1 (fast) to  9  (slow,  best).
           The  default level is 6, which is good for most applications. kNote
           that this option applies to protocol version 1 only.



       ConnectionAttempts

           Specifies the number of tries (one per second) to make before fall-
           ing  back  to rsh or exiting. The argument must be an integer. This
           can be useful in scripts if the  connection  sometimes  fails.  The
           default is 1.



       DynamicForward

           Specifies that a TCP/IP port on the local machine be forwarded over
           the secure channel. The application protocol is then used to deter-
           mine where to connect to from the remote machine. The argument must
           be a port number. Currently the SOCKS4 protocol is  supported,  and
           ssh will act as a SOCKS4 server. Multiple forwardings can be speci-
           fied and additional forwardings can be  specified  on  the  command
           line. Only the superuser can forward privileged ports.



       EscapeChar

           Sets  the  escape  character.  The default is tilde (~). The escape
           character can also be set on the command line. The argument  should
           be  a single character, ^, followed by a letter, or none to disable
           the escape character entirely (making  the  connection  transparent
           for binary data).



       FallBackToRsh

           Specifies  that  if  connecting  with ssh fails due to a connection
           refused error (there is no sshd(8) listening on the  remote  host),
           rsh(1) should automatically be used instead (after a suitable warn-
           ing about the session being unencrypted). The argument must be  yes
           or no.



       ForwardAgent

           Specifies  whether  the  connection to the authentication agent (if
           any) will be forwarded to the remote machine. The argument must  be
           yes or no. The default is no.

           Agent  forwarding  should  be  enabled with caution. Users with the
           ability to bypass file permissions on  the  remote  host  (for  the
           agent's  Unix-domain socket) can access the local agent through the
           forwarded connection. An attacker cannot obtain key  material  from
           the  agent,  however  he  can  perform  operations on the keys that
           enable him to authenticate using the  identities  loaded  into  the
           agent.



       ForwardX11

           Specifies  whether X11 connections will be automatically redirected
           over the secure channel and DISPLAY set. The argument must  be  yes
           or no. The default is no.

           X11 forwarding should be enabled with caution. Users with the abil-
           ity to bypass file permissions on the remote host (for the user's X
           authorization  database)  can  access the local X11 display through
           the forwarded connection. An attacker might then be able to perform
           activities such as keystroke monitoring.



       GatewayPorts

           Specifies whether remote hosts are allowed to connect to local for-
           warded ports. By default, ssh binds local port forwardings  to  the
           loopback  address. This prevents other remote hosts from connecting
           to forwarded ports. GatewayPorts can be used to  specify  that  ssh
           should  bind  local  port forwardings to the wildcard address, thus
           allowing remote hosts to connect to forwarded ports.  The  argument
           must be yes or no. The default is no.



       GlobalKnownHostsFile

           Specifies a file to use instead of /etc/ssh/ssh_known_hosts.



       GSSAPIAuthentication

           Enables/disables GSS-API user authentication. The default is yes.



       GSSAPIKeyExchange

           Enables/disables  GSS-API-authenticated  key exchanges. The default
           is yes.

           This option is intended primarily to allow users to disable the use
           of  GSS-API  key  exchange  for  SSHv2  when  it would otherwise be
           selected and then fail (due to server misconfiguration,  for  exam-
           ple). SSHv2 key exchange failure always results in disconnection.

           This option also enables the use of the GSS-API to authenticate the
           user to the server after the key exchange. Note  that  GSS-API  key
           exchange  can  succeed  but the subsequent authentication using the
           GSS-API fail if the server does not authorize the user's GSS  prin-
           cipal name to the target user account.



       GSSAPIDelegateCredentials

           Enables/disables GSS-API credential forwarding. The default is no.



       GSSAPIStoreDelegatedCredentials

           Controls  whether sshd(1M) stores any GSS-API credentials delegated
           by clients.



       HostbasedAuthentication

           Specifies whether to try rhosts-based  authentication  with  public
           key  authentication. The argument must be yes or no. The default is
           no. This option applies to protocol version 2 only and  is  similar
           to RhostsRSAAuthentication.



       HostKeyAlgorithms

           Specifies  the  protocol  version  2  host  key algorithms that the
           client wants to use in order of preference. The  default  for  this
           option is: ssh-rsa,ssh-dss.



       HostKeyAlias

           Specifies  an  alias  that  should be used instead of the real host
           name when looking up or saving the host key in the host  key  data-
           base  files. This option is useful for tunneling ssh connections or
           for multiple servers running on a single host.



       HostName

           Specifies the real host name to log into. This can be used to spec-
           ify nicknames or abbreviations for hosts. Default is the name given
           on the command line. Numeric IP addresses are also permitted  (both
           on the command line and in HostName specifications).



       IdentityFile

           Specifies  a  file  from which the user's RSA or DSA authentication
           identity is read. The default is $HOME/.ssh/identity  for  protocol
           version  1 and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for protocol
           version 2. Additionally, any identities represented by the  authen-
           tication  agent  will be used for authentication. The file name can
           use the tilde syntax to refer to a user's  home  directory.  It  is
           possible to have multiple identity files specified in configuration
           files; all these identities will be tried in sequence.



       KeepAlive

           Specifies whether the system should send TCP keepalive messages  to
           the  other side. If they are sent, death of the connection or crash
           of one of the machines will  be  properly  noticed.  However,  this
           means  that connections die if the route is down temporarily, which
           can be a source of annoyance.

           The default is yes (to send keepalives),  which  means  the  client
           notices  if  the network goes down or the remote host dies. This is
           important in scripts, and  many  users  want  it  too.  To  disable
           keepalives,  the  value  should be set to no in both the server and
           the client configuration files.



       LocalForward

           Specifies that a TCP/IP port on the local machine be forwarded over
           the  secure  channel  to a given host:port from the remote machine.
           The first argument must be a port number, and the  second  must  be
           host:port. IPv6 addresses can be specified with an alternative syn-
           tax: host/port. Multiple forwardings can  be  specified  and  addi-
           tional forwardings can be given on the command line. Only the supe-
           ruser can forward privileged ports.



       LogLevel

           Gives the verbosity level that is used when logging  messages  from
           ssh.  The  possible values are: FATAL, ERROR, INFO, VERBOSE, DEBUG,
           DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG  and  DEBUG1
           are  equivalent.  DEBUG2  and  DEBUG3 each specify higher levels of
           verbose output.



       MACs

           Specifies the MAC (message authentication code) algorithms in order
           of  preference. The MAC algorithm is used in protocol version 2 for
           data integrity protection. Multiple algorithms must be  comma-sepa-
           rated. The default is hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96.



       NoHostAuthenticationForLocalhost

           This  option  can  be  used  if the home directory is shared across
           machines. In this case localhost will refer to a different  machine
           on  each  of the machines and the user will get many warnings about
           changed host keys. However, this option disables  host  authentica-
           tion for localhost. The argument to this keyword must be yes or no.
           The default is to check the host key for localhost.



       NumberOfPasswordPrompts

           Specifies the number of password  prompts  before  giving  up.  The
           argument to this keyword must be an integer. The default is 3.



       PasswordAuthentication

           Specifies  whether  to use password authentication. The argument to
           this keyword must be yes or no. Note that this  option  applies  to
           both protocol versions 1 and 2. The default is yes.



       Port

           Specifies  the  port  number  to  connect  on  the remote host. The
           default is 22.



       Protocol

           Specifies the protocol versions ssh  should  support  in  order  of
           preference. The possible values are 1 and 2. Multiple versions must
           be comma-separated. The default is 1,2. This means that  ssh  tries
           version  1  and  falls back to version 2 if version 1 is not avail-
           able.



       PreferredAuthentications

           Specifies the order in which  the  client  should  try  protocol  2
           authentication  methods.  This allows a client to prefer one method
           (for example, keyboard-interactive) over another method (for  exam-
           ple,  password).  The  default  for  this option is: hostbased,pub-
           lickey,keyboard-interactive,password.



       ProxyCommand

           Specifies the command to use to connect to the server. The  command
           string  extends  to  the  end  of  the  line,  and is executed with
           /bin/sh. In the command string, %h is substituted by the host  name
           to connect and %p by the port. The string can be any valid command,
           and should read from its standard input and write to  its  standard
           output.  It should eventually connect an sshd(1M) server running on
           some machine, or execute sshd -i  somewhere.  Host  key  management
           will  be  done  using  the  HostName  of  the  host being connected
           (defaulting to the name typed by the user). Note  that  CheckHostIP
           is not available for connects with a proxy command.



       PubkeyAuthentication

           Specifies whether to try public key authentication. The argument to
           this keyword must be yes or no. The default  is  yes.  This  option
           applies to protocol version 2 only.



       RemoteForward

           Specifies  that  a  TCP/IP  port on the remote machine be forwarded
           over the secure  channel  to  a  given  host:port  from  the  local
           machine.  The  first argument must be a port number, and the second
           must be host:port. IPv6 addresses can be specified with an alterna-
           tive  syntax:  host/port.  You can specify multiple forwardings and
           give additional forwardings on the command line. Only the superuser
           can forward privileged ports.



       RhostsAuthentication

           Specifies  whether  to  try  rhosts-based authentication. Note that
           this declaration affects only the client side  and  has  no  effect
           whatsoever  on security. Disabling rhosts authentication can reduce
           authentication time on slow connections when rhosts  authentication
           is  not  used.  Most  servers  do  not  permit RhostsAuthentication
           because it is not secure (see RhostsRSAAuthentication).  The  argu-
           ment to this keyword must be yes or no. This option applies only to
           the protocol version 1 and requires that ssh  be  setuid  root  and
           that UsePrivilegedPort be set to yes.



       RhostsRSAAuthentication

           Specifies  whether to try rhosts-based authentication with RSA host
           authentication. This is the primary authentication method for  most
           sites.  The argument must be yes or no. This option applies only to
           the protocol version 1 and requires that ssh  be  setuid  root  and
           that UsePrivilegedPort be set to yes.



       StrictHostKeyChecking

           If  this  flag is set to yes, ssh will never automatically add host
           keys to the $HOME/.ssh/known_hosts file, and will refuse to connect
           hosts whose host key has changed.  This provides maximum protection
           against trojan horse attacks. However, it can be a source of incon-
           venience  if  you  do  not have good /etc/ssh/ssh_known_hosts files
           installed and frequently connect new hosts. This option forces  the
           user  to  manually  add any new hosts. Normally this option is dis-
           abled, and new hosts will automatically be added to the known  host
           files.  The host keys of known hosts will be verified automatically
           in either case. The argument must be yes or no or ask. The  default
           is ask.



       UsePrivilegedPort

           Specifies  whether  to  use  a privileged port for outgoing connec-
           tions. The argument must be yes or no. The  default  is  yes.  Note
           that  setting  this option to no turns off RhostsAuthentication and
           RhostsRSAAuthentication. If set to yes ssh  must  be  setuid  root.
           Defaults to no.



       User

           Specifies  the  user  to  log in as. This can be useful if you have
           different user names on different  machines.  This  saves  you  the
           trouble of having to remember to enter the user name on the command
           line.



       UserKnownHostsFile

           Specifies a file to use instead of $HOME/.ssh/known_hosts.



       UseRsh

           Specifies that rlogin or rsh should be used for this  host.  It  is
           possible  that  the  host  does  not support the ssh protocol. This
           causes ssh to immediately execute rsh(1). All other options (except
           HostName) are ignored if this has been specified. The argument must
           be yes or no.



       XAuthLocation

           Specifies the location of the  xauth(1)  program.  The  default  is
           /usr/openwin/bin/xauth.



SEE ALSO
       ssh(1),     ssh-http-proxy-connect(1),     ssh-socks5-proxy-connect(1),
       sshd(1M), sshd_config(4), SEAM(5)



SunOS 5.10                        31 Jul 2004                    ssh_config(4)