unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.9)
Page:
Section:
Apropos / Subsearch:
optional field



File Formats                                        ssh_config(4)



NAME
     ssh_config - ssh configuration file

SYNOPSIS
     /etc/ssh/ssh_config

     $HOME/.ssh/config

DESCRIPTION
     The first version of ssh_config, above, is the host view  of
     defaults  for  ssh(1).  The  second version is user-specific
     defaults for ssh.

     ssh obtains configuration data from  the  following  sources
     (in  this order): command line options, user's configuration
     file ($HOME/.ssh/config), and system-wide configuration file
     (/etc/ssh/ssh_config).   For   each   parameter,  the  first
     obtained value will be used. The configuration files contain
     sections  bracketed by Host specifications, and that section
     is applied only for hosts that match  one  of  the  patterns
     given in the specification. The matched host name is the one
     given on the command line.

     Since the first obtained value for each parameter  is  used,
     host-specific  declarations  should be given near the begin-
     ning of the file, and general defaults at the end.

     In the configuration file, empty lines  and  lines  starting
     with  a  hash mark (#) are comments. Otherwise, a line is of
     the format: keyword arguments. Interpretation of the file is
     case-sensitive. The possible keywords and their meanings are
     as follows:

     Host  Restricts the following declarations (up to  the  next
           Host  keyword)  to  be only for those hosts that match
           one of the patterns given after the keyword.  Asterisk
           (*) and question mark (?)  can be used as wildcards in
           the patterns. A single * as a pattern can be  used  to
           provide global defaults for all hosts. The host is the
           hostname argument given on the command line (that  is,
           the name is not converted to a canonicalized host name
           before matching).

     BatchMode
           The argument must  be  yes  or  no.  If  set  to  yes,
           passphrase/password  querying  will  be disabled. This
           option is useful in scripts and other batch jobs where
           you have no user to supply the password.

     CheckHostIP
           If this flag is set  to  yes,  ssh  will  additionally
           check  the  host  IP  address in the known_hosts file.



SunOS 5.9           Last change: 18 Dec 2001                    1






File Formats                                        ssh_config(4)



           This allows ssh to detect if a host key changed due to
           DNS  spoofing.  If  the option is set to no, the check
           will not be executed.

     Cipher
           Specifies the cipher to use for encrypting the session
           in  protocol version 1; blowfish and 3des are the only
           valid values. Specifies the ciphers allowed for proto-
           col  version  2  in  order  of  preference.   Multiple
           ciphers must be comma-separated. The default is  3des-
           cbc,blowfish-cbc,aes-128-cbc.

     Compression
           Specifies whether to  use  compression.  The  argument
           must be yes or no.

     CompressionLevel
           Specifies the compression level to use if  compression
           is  enabled.  The  argument  must be an integer from 1
           (fast) to 9 (slow, best).  The  default  level  is  6,
           which is good for most applications..

     ConnectionAttempts
           Specifies the number of tries (one per second) to make
           before  falling  back  to rsh or exiting. The argument
           must be an integer. This can be useful in  scripts  if
           the connection sometimes fails.

     DSAAuthentication
           Specifies whether to try DSA authentication. The argu-
           ment  to this keyword must be yes or no. DSA authenti-
           cation is  attempted  only  if  a  DSA  identity  file
           exists. Note that this option applies to protocol ver-
           sion 2 only.

     EscapeChar
           Sets the escape character. The default is  tilde  (~).
           The  escape  character  can also be set on the command
           line. The argument should be a  single  character,  ^,
           followed  by  a  letter, or none to disable the escape
           character entirely (making the connection  transparent
           for binary data).

     FallBackToRsh
           Specifies that if connecting with ssh fails due  to  a
           connection  refused error (there is no sshd(8) listen-
           ing on the remote host), rsh(1)  should  automatically
           be  used  instead  (after a suitable warning about the
           session being unencrypted). The argument must  be  yes
           or no.

     ForwardAgent



SunOS 5.9           Last change: 18 Dec 2001                    2






File Formats                                        ssh_config(4)



           Specifies whether the connection to the authentication
           agent  (if  any)  will  be  forwarded  to  the  remote
           machine. The argument must be yes or no.  The  default
           is no.

     ForwardX11
           Specifies whether X11 connections  will  be  automati-
           cally  redirected  over the secure channel and DISPLAY
           set. The argument must be yes or no.  The  default  is
           no.

     GatewayPorts
           Specifies whether remote hosts are allowed to  connect
           to  local forwarded ports. The argument must be yes or
           no. The default is no.

     GlobalKnownHostsFile
           Specifies    a    file    to    use     instead     of
           /etc/ssh_known_hosts.

     HostName
           Specifies the real host name to log into. This can  be
           used  to specify nicknames or abbreviations for hosts.
           Default is the name given on the command line. Numeric
           IP  addresses  are also permitted (both on the command
           line and in HostName specifications).

     IdentityFile
           Specifies the file from which the user's RSA authenti-
           cation    identity    is    read.   The   default   is
           $HOME/.ssh/identity  in  the  user's  home  directory.
           Additionally,   any   identities  represented  by  the
           authentication agent will be used for  authentication.
           The file name can use the tilde (~) syntax to refer to
           a user's home directory. It is possible to have multi-
           ple  identity  files specified in configuration files;
           all of these identities will be tried in sequence.

     IdentityFile2
           Specifies the file from which the user's DSA authenti-
           cation    identity    is    read.   The   default   is
           $HOME/.ssh/id_dsa in the user's  home  directory.  The
           file  name  can use the tilde (~) syntax to refer to a
           user's home directory. It is possible to have multiple
           identity  files  specified in configuration files; all
           of these identities will be tried in sequence.

     KeepAlive
           Specifies whether the  system  should  send  keepalive
           messages to the other side. If they are sent, death of
           the connection or crash of one of the machines will be
           properly noticed. However, this means that connections



SunOS 5.9           Last change: 18 Dec 2001                    3






File Formats                                        ssh_config(4)



           die if the route is down temporarily, which can  be  a
           source of annoyance.

           The default is yes (to send keepalives),  which  means
           the  client  notices  if  the network goes down or the
           remote host dies. This is important  in  scripts,  and
           many  users  want  it  too. To disable keepalives, the
           value should be set to no in both the server  and  the
           client configuration files.

     LocalForward
           Specifies that a TCP/IP port on the local  machine  be
           forwarded over the secure channel to a given host:port
           from the remote machine. The first argument must be  a
           port  number, and the second must be host:port. Multi-
           ple forwardings may be specified, and additional  for-
           wardings  can  be  given on the command line. Only the
           superuser can forward privileged ports.

     LogLevel
           Gives the verbosity level that is  used  when  logging
           messages  from  ssh.  The  possible values are: QUIET,
           FATAL, ERROR, INFO, VERBOSE and DEBUG. The default  is
           INFO.

     NumberOfPasswordPrompts
           Specifies the number of password prompts before giving
           up.  The  argument to this keyword must be an integer.
           The default is 3.

     PasswordAuthentication
           Specifies whether to use password authentication.  The
           argument  to this keyword must be yes or no. Note that
           this option applies to both protocol versions 1 and 2.

     Port  Specifies the port number to  connect  on  the  remote
           host. The default is 22.

     Protocol
           Specifies the protocol versions ssh should support  in
           order  of preference. The possible values are 1 and 2.
           Multiple versions must be comma-separated. The default
           is  1,2. This means that ssh tries version 1 and falls
           back to version 2 if version 1 is not available.

     ProxyCommand
           Specifies the command to use to connect to the server.
           The command string extends to the end of the line, and
           is executed with /bin/sh. In the command string, %h is
           substituted  by the host name to connect and %p by the
           port. The string can be any valid command, and  should
           read from its standard input and write to its standard



SunOS 5.9           Last change: 18 Dec 2001                    4






File Formats                                        ssh_config(4)



           output.  It  should  eventually  connect  an  sshd(1M)
           server  running  on  some  machine, or execute sshd -i
           somewhere. Host key management will be done using  the
           HostName  of  the  host being connected (defaulting to
           the name typed by the user). Note that CheckHostIP  is
           not available for connects with a proxy command.

     RemoteForward
           Specifies that a TCP/IP port on the remote machine  be
           forwarded over the secure channel to a given host:port
           from the local machine. The first argument must  be  a
           port number, and the second must be host:port. You can
           specify multiple forwardings and give additional  for-
           wardings  on  the command line. Only the superuser can
           forward privileged ports.

     RhostsAuthentication
           Specifies whether to try rhosts-based  authentication.
           Note  that  this  declaration  affects only the client
           side and has no effect whatsoever on  security.  Disa-
           bling  rhosts authentication can reduce authentication
           time on slow connections when rhosts authentication is
           not used. Most servers do not permit RhostsAuthentica-
           tion because it is not secure (see  RhostsRSAAuthenti-
           cation).  The  argument to this keyword must be yes or
           no.

     RhostsRSAAuthentication
           Specifies whether to try  rhosts-based  authentication
           with  RSA  host  authentication.  This  is the primary
           authentication method for  most  sites.  The  argument
           must be yes or no.

     StrictHostKeyChecking
           If this flag is set to yes, ssh will  never  automati-
           cally  add  host  keys  to  the $HOME/.ssh/known_hosts
           file, and will refuse to connect hosts whose host  key
           has changed.  This provides maximum protection against
           trojan horse attacks. However, it can be a  source  of
           inconvenience    if    you    do    not    have   good
           /etc/ssh_known_hosts files  installed  and  frequently
           connect  new  hosts.  This  option  forces the user to
           manually add any new hosts. Normally  this  option  is
           disabled, and new hosts will automatically be added to
           the known host files. The host  keys  of  known  hosts
           will  be  verified  automatically  in either case. The
           argument must be yes or no.

     UsePrivilegedPort
           Specifies whether to use a privileged port for  outgo-
           ing  connections.  The argument must be yes or no. The
           default is yes. Note that setting this  option  to  no



SunOS 5.9           Last change: 18 Dec 2001                    5






File Formats                                        ssh_config(4)



           turns  off RhostsAuthentication and RhostsRSAAuthenti-
           cation.

     User  Specifies the user to log in as. This can be useful if
           you  have  different user names on different machines.
           This saves you the trouble of having  to  remember  to
           enter the user name on the command line.

     UserKnownHostsFile
           Specifies    a    file    to    use     instead     of
           $HOME/.ssh/known_hosts.

     UseRsh
           Specifies that rlogin or rsh should be used  for  this
           host.  It  is  possible that the host does not support
           the ssh protocol. This causes ssh to immediately  exe-
           cute  rsh(1).  All other options (except HostName) are
           ignored if this has been specified. The argument  must
           be yes or no.

     XAuthLocation
           Specifies the location of the  xauth(1)  program.  The
           default is /usr/openwin/bin/xauth.

SEE ALSO
     ssh(1), sshd_config(4)





























SunOS 5.9           Last change: 18 Dec 2001                    6