2008-07-23 09:15:38 +00:00
|
|
|
SSH_CONFIG(5) OpenBSD Programmer's Manual SSH_CONFIG(5)
|
|
|
|
|
|
|
|
NAME
|
|
|
|
ssh_config - OpenSSH SSH client configuration files
|
|
|
|
|
|
|
|
SYNOPSIS
|
|
|
|
~/.ssh/config
|
|
|
|
/etc/ssh/ssh_config
|
|
|
|
|
|
|
|
DESCRIPTION
|
|
|
|
ssh(1) obtains configuration data from the following sources in the fol-
|
|
|
|
lowing order:
|
|
|
|
|
|
|
|
1. command-line options
|
|
|
|
2. user's configuration file (~/.ssh/config)
|
|
|
|
3. system-wide configuration file (/etc/ssh/ssh_config)
|
|
|
|
|
|
|
|
For each parameter, the first obtained value will be used. The configu-
|
|
|
|
ration files contain sections separated by ``Host'' specifications, and
|
|
|
|
that section is only applied for hosts that match one of the patterns
|
|
|
|
given in the specification. The matched host name is the one given on
|
|
|
|
the command line.
|
|
|
|
|
|
|
|
Since the first obtained value for each parameter is used, more host-spe-
|
|
|
|
cific declarations should be given near the beginning of the file, and
|
|
|
|
general defaults at the end.
|
|
|
|
|
|
|
|
The configuration file has the following format:
|
|
|
|
|
|
|
|
Empty lines and lines starting with `#' are comments. Otherwise a line
|
|
|
|
is of the format ``keyword arguments''. Configuration options may be
|
|
|
|
separated by whitespace or optional whitespace and exactly one `='; the
|
|
|
|
latter format is useful to avoid the need to quote whitespace when speci-
|
|
|
|
fying configuration options using the ssh, scp, and sftp -o option. Ar-
|
|
|
|
guments may optionally be enclosed in double quotes (") in order to rep-
|
|
|
|
resent arguments containing spaces.
|
|
|
|
|
|
|
|
The possible keywords and their meanings are as follows (note that key-
|
|
|
|
words are case-insensitive and arguments are case-sensitive):
|
|
|
|
|
|
|
|
Host Restricts the following declarations (up to the next Host key-
|
|
|
|
word) to be only for those hosts that match one of the patterns
|
2008-07-23 09:33:08 +00:00
|
|
|
given after the keyword. If more than one pattern is provided,
|
2009-02-24 18:49:27 +00:00
|
|
|
they should be separated by whitespace. A single `*' as a pat-
|
2008-07-23 09:33:08 +00:00
|
|
|
tern can be used to provide global defaults for all hosts. The
|
|
|
|
host is the hostname argument given on the command line (i.e. the
|
|
|
|
name is not converted to a canonicalized host name before match-
|
|
|
|
ing).
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
See PATTERNS for more information on patterns.
|
|
|
|
|
|
|
|
AddressFamily
|
|
|
|
Specifies which address family to use when connecting. Valid ar-
|
|
|
|
guments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' (use
|
|
|
|
IPv6 only).
|
|
|
|
|
|
|
|
BatchMode
|
|
|
|
If set to ``yes'', passphrase/password querying will be disabled.
|
|
|
|
This option is useful in scripts and other batch jobs where no
|
|
|
|
user is present to supply the password. The argument must be
|
|
|
|
``yes'' or ``no''. The default is ``no''.
|
|
|
|
|
|
|
|
BindAddress
|
|
|
|
Use the specified address on the local machine as the source ad-
|
|
|
|
dress of the connection. Only useful on systems with more than
|
|
|
|
one address. Note that this option does not work if
|
|
|
|
UsePrivilegedPort is set to ``yes''.
|
|
|
|
|
|
|
|
ChallengeResponseAuthentication
|
|
|
|
Specifies whether to use challenge-response authentication. The
|
|
|
|
argument to this keyword must be ``yes'' or ``no''. The default
|
|
|
|
is ``yes''.
|
|
|
|
|
|
|
|
CheckHostIP
|
|
|
|
If this flag is set to ``yes'', ssh(1) will additionally check
|
|
|
|
the host IP address in the known_hosts file. This allows ssh to
|
|
|
|
detect if a host key changed due to DNS spoofing. If the option
|
|
|
|
is set to ``no'', the check will not be executed. The default is
|
|
|
|
``yes''.
|
|
|
|
|
|
|
|
Cipher Specifies the cipher to use for encrypting the session in proto-
|
|
|
|
col version 1. Currently, ``blowfish'', ``3des'', and ``des''
|
|
|
|
are supported. des is only supported in the ssh(1) client for
|
|
|
|
interoperability with legacy protocol 1 implementations that do
|
|
|
|
not support the 3des cipher. Its use is strongly discouraged due
|
|
|
|
to cryptographic weaknesses. The default is ``3des''.
|
|
|
|
|
|
|
|
Ciphers
|
|
|
|
Specifies the ciphers allowed for protocol version 2 in order of
|
|
|
|
preference. Multiple ciphers must be comma-separated. The sup-
|
|
|
|
ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'',
|
|
|
|
``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
|
|
|
|
``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'',
|
|
|
|
and ``cast128-cbc''. The default is:
|
|
|
|
|
2009-02-24 18:49:27 +00:00
|
|
|
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
|
|
|
|
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
|
|
|
|
aes256-cbc,arcfour
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
ClearAllForwardings
|
|
|
|
Specifies that all local, remote, and dynamic port forwardings
|
|
|
|
specified in the configuration files or on the command line be
|
|
|
|
cleared. This option is primarily useful when used from the
|
|
|
|
ssh(1) command line to clear port forwardings set in configura-
|
|
|
|
tion files, and is automatically set by scp(1) and sftp(1). The
|
|
|
|
argument must be ``yes'' or ``no''. The default is ``no''.
|
|
|
|
|
|
|
|
Compression
|
|
|
|
Specifies whether to use compression. The argument must be
|
|
|
|
``yes'' or ``no''. The default is ``no''.
|
|
|
|
|
|
|
|
CompressionLevel
|
|
|
|
Specifies the compression level to use if compression is enabled.
|
|
|
|
The argument must be an integer from 1 (fast) to 9 (slow, best).
|
|
|
|
The default level is 6, which is good for most applications. The
|
|
|
|
meaning of the values is the same as in gzip(1). Note that this
|
|
|
|
option applies to protocol version 1 only.
|
|
|
|
|
|
|
|
ConnectionAttempts
|
|
|
|
Specifies the number of tries (one per second) to make before ex-
|
|
|
|
iting. The argument must be an integer. This may be useful in
|
|
|
|
scripts if the connection sometimes fails. The default is 1.
|
|
|
|
|
|
|
|
ConnectTimeout
|
|
|
|
Specifies the timeout (in seconds) used when connecting to the
|
|
|
|
SSH server, instead of using the default system TCP timeout.
|
|
|
|
This value is used only when the target is down or really un-
|
|
|
|
reachable, not when it refuses the connection.
|
|
|
|
|
|
|
|
ControlMaster
|
|
|
|
Enables the sharing of multiple sessions over a single network
|
|
|
|
connection. When set to ``yes'', ssh(1) will listen for connec-
|
|
|
|
tions on a control socket specified using the ControlPath argu-
|
|
|
|
ment. Additional sessions can connect to this socket using the
|
|
|
|
same ControlPath with ControlMaster set to ``no'' (the default).
|
|
|
|
These sessions will try to reuse the master instance's network
|
|
|
|
connection rather than initiating new ones, but will fall back to
|
|
|
|
connecting normally if the control socket does not exist, or is
|
|
|
|
not listening.
|
|
|
|
|
|
|
|
Setting this to ``ask'' will cause ssh to listen for control con-
|
|
|
|
nections, but require confirmation using the SSH_ASKPASS program
|
|
|
|
before they are accepted (see ssh-add(1) for details). If the
|
|
|
|
ControlPath cannot be opened, ssh will continue without connect-
|
|
|
|
ing to a master instance.
|
|
|
|
|
|
|
|
X11 and ssh-agent(1) forwarding is supported over these multi-
|
|
|
|
plexed connections, however the display and agent forwarded will
|
|
|
|
be the one belonging to the master connection i.e. it is not pos-
|
|
|
|
sible to forward multiple displays or agents.
|
|
|
|
|
|
|
|
Two additional options allow for opportunistic multiplexing: try
|
|
|
|
to use a master connection but fall back to creating a new one if
|
|
|
|
one does not already exist. These options are: ``auto'' and
|
|
|
|
``autoask''. The latter requires confirmation like the ``ask''
|
|
|
|
option.
|
|
|
|
|
|
|
|
ControlPath
|
|
|
|
Specify the path to the control socket used for connection shar-
|
|
|
|
ing as described in the ControlMaster section above or the string
|
|
|
|
``none'' to disable connection sharing. In the path, `%l' will
|
|
|
|
be substituted by the local host name, `%h' will be substituted
|
|
|
|
by the target host name, `%p' the port, and `%r' by the remote
|
|
|
|
login username. It is recommended that any ControlPath used for
|
|
|
|
opportunistic connection sharing include at least %h, %p, and %r.
|
|
|
|
This ensures that shared connections are uniquely identified.
|
|
|
|
|
|
|
|
DynamicForward
|
|
|
|
Specifies that a TCP port on the local machine be forwarded over
|
|
|
|
the secure channel, and the application protocol is then used to
|
|
|
|
determine where to connect to from the remote machine.
|
|
|
|
|
|
|
|
The argument must be [bind_address:]port. IPv6 addresses can be
|
|
|
|
specified by enclosing addresses in square brackets or by using
|
|
|
|
an alternative syntax: [bind_address/]port. By default, the lo-
|
|
|
|
cal port is bound in accordance with the GatewayPorts setting.
|
|
|
|
However, an explicit bind_address may be used to bind the connec-
|
|
|
|
tion to a specific address. The bind_address of ``localhost''
|
|
|
|
indicates that the listening port be bound for local use only,
|
|
|
|
while an empty address or `*' indicates that the port should be
|
|
|
|
available from all interfaces.
|
|
|
|
|
|
|
|
Currently the SOCKS4 and SOCKS5 protocols are supported, and
|
|
|
|
ssh(1) will act as a SOCKS server. Multiple forwardings may be
|
|
|
|
specified, and additional forwardings can be given on the command
|
|
|
|
line. Only the superuser can forward privileged ports.
|
|
|
|
|
|
|
|
EnableSSHKeysign
|
|
|
|
Setting this option to ``yes'' in the global client configuration
|
|
|
|
file /etc/ssh/ssh_config enables the use of the helper program
|
|
|
|
ssh-keysign(8) during HostbasedAuthentication. The argument must
|
|
|
|
be ``yes'' or ``no''. The default is ``no''. This option should
|
|
|
|
be placed in the non-hostspecific section. See ssh-keysign(8)
|
|
|
|
for more information.
|
|
|
|
|
|
|
|
EscapeChar
|
|
|
|
Sets the escape character (default: `~'). The escape character
|
|
|
|
can also be set on the command line. The argument should be a
|
|
|
|
single character, `^' followed by a letter, or ``none'' to dis-
|
|
|
|
able the escape character entirely (making the connection trans-
|
|
|
|
parent for binary data).
|
|
|
|
|
|
|
|
ExitOnForwardFailure
|
|
|
|
Specifies whether ssh(1) should terminate the connection if it
|
2008-07-23 09:23:42 +00:00
|
|
|
cannot set up all requested dynamic, tunnel, local, and remote
|
|
|
|
port forwardings. The argument must be ``yes'' or ``no''. The
|
|
|
|
default is ``no''.
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
ForwardAgent
|
|
|
|
Specifies whether the connection to the authentication agent (if
|
|
|
|
any) will be forwarded to the remote machine. The argument must
|
|
|
|
be ``yes'' or ``no''. The default is ``no''.
|
|
|
|
|
|
|
|
Agent forwarding should be enabled with caution. Users with the
|
|
|
|
ability to bypass file permissions on the remote host (for the
|
|
|
|
agent's Unix-domain socket) can access the local agent through
|
|
|
|
the forwarded connection. An attacker cannot obtain key material
|
|
|
|
from the agent, however they can perform operations on the keys
|
|
|
|
that enable them to authenticate using the identities loaded into
|
|
|
|
the agent.
|
|
|
|
|
|
|
|
ForwardX11
|
|
|
|
Specifies whether X11 connections will be automatically redirect-
|
|
|
|
ed over the secure channel and DISPLAY set. The argument must be
|
|
|
|
``yes'' or ``no''. The default is ``no''.
|
|
|
|
|
|
|
|
X11 forwarding should be enabled with caution. Users with the
|
|
|
|
ability to bypass file permissions on the remote host (for the
|
|
|
|
user's X11 authorization database) can access the local X11 dis-
|
|
|
|
play through the forwarded connection. An attacker may then be
|
|
|
|
able to perform activities such as keystroke monitoring if the
|
|
|
|
ForwardX11Trusted option is also enabled.
|
|
|
|
|
|
|
|
ForwardX11Trusted
|
|
|
|
If this option is set to ``yes'', remote X11 clients will have
|
|
|
|
full access to the original X11 display.
|
|
|
|
|
|
|
|
If this option is set to ``no'', remote X11 clients will be con-
|
|
|
|
sidered untrusted and prevented from stealing or tampering with
|
|
|
|
data belonging to trusted X11 clients. Furthermore, the xauth(1)
|
|
|
|
token used for the session will be set to expire after 20 min-
|
|
|
|
utes. Remote clients will be refused access after this time.
|
|
|
|
|
|
|
|
The default is ``no''.
|
|
|
|
|
|
|
|
See the X11 SECURITY extension specification for full details on
|
|
|
|
the restrictions imposed on untrusted clients.
|
|
|
|
|
|
|
|
GatewayPorts
|
|
|
|
Specifies whether remote hosts are allowed to connect to local
|
|
|
|
forwarded ports. By default, ssh(1) binds local port forwardings
|
|
|
|
to the loopback address. This prevents other remote hosts from
|
|
|
|
connecting to forwarded ports. GatewayPorts can be used to spec-
|
|
|
|
ify that ssh should bind local port forwardings to the wildcard
|
|
|
|
address, thus allowing remote hosts to connect to forwarded
|
|
|
|
ports. The argument must be ``yes'' or ``no''. The default is
|
|
|
|
``no''.
|
|
|
|
|
|
|
|
GlobalKnownHostsFile
|
|
|
|
Specifies a file to use for the global host key database instead
|
|
|
|
of /etc/ssh/ssh_known_hosts.
|
|
|
|
|
|
|
|
GSSAPIAuthentication
|
|
|
|
Specifies whether user authentication based on GSSAPI is allowed.
|
|
|
|
The default is ``no''. Note that this option applies to protocol
|
|
|
|
version 2 only.
|
|
|
|
|
|
|
|
GSSAPIDelegateCredentials
|
|
|
|
Forward (delegate) credentials to the server. The default is
|
|
|
|
``no''. Note that this option applies to protocol version 2 on-
|
|
|
|
ly.
|
|
|
|
|
|
|
|
HashKnownHosts
|
|
|
|
Indicates that ssh(1) should hash host names and addresses when
|
|
|
|
they are added to ~/.ssh/known_hosts. These hashed names may be
|
|
|
|
used normally by ssh(1) and sshd(8), but they do not reveal iden-
|
|
|
|
tifying information should the file's contents be disclosed. The
|
|
|
|
default is ``no''. Note that existing names and addresses in
|
|
|
|
known hosts files will not be converted automatically, but may be
|
|
|
|
manually hashed using ssh-keygen(1).
|
|
|
|
|
|
|
|
HostbasedAuthentication
|
|
|
|
Specifies whether to try rhosts based authentication with public
|
|
|
|
key authentication. The argument must be ``yes'' or ``no''. The
|
|
|
|
default is ``no''. This option applies to protocol version 2 on-
|
|
|
|
ly and is similar to RhostsRSAAuthentication.
|
|
|
|
|
|
|
|
HostKeyAlgorithms
|
|
|
|
Specifies the protocol version 2 host key algorithms that the
|
|
|
|
client wants to use in order of preference. The default for this
|
|
|
|
option is: ``ssh-rsa,ssh-dss''.
|
|
|
|
|
|
|
|
HostKeyAlias
|
|
|
|
Specifies an alias that should be used instead of the real host
|
|
|
|
name when looking up or saving the host key in the host key
|
|
|
|
database files. This option is useful for tunneling SSH connec-
|
|
|
|
tions or for multiple servers running on a single host.
|
|
|
|
|
|
|
|
HostName
|
|
|
|
Specifies the real host name to log into. This can be used to
|
|
|
|
specify nicknames or abbreviations for hosts. The default is the
|
|
|
|
name given on the command line. Numeric IP addresses are also
|
|
|
|
permitted (both on the command line and in HostName specifica-
|
|
|
|
tions).
|
|
|
|
|
|
|
|
IdentitiesOnly
|
|
|
|
Specifies that ssh(1) should only use the authentication identity
|
|
|
|
files configured in the ssh_config files, even if ssh-agent(1)
|
|
|
|
offers more identities. The argument to this keyword must be
|
|
|
|
``yes'' or ``no''. This option is intended for situations where
|
|
|
|
ssh-agent offers many different identities. The default is
|
|
|
|
``no''.
|
|
|
|
|
|
|
|
IdentityFile
|
|
|
|
Specifies a file from which the user's RSA or DSA authentication
|
|
|
|
identity is read. The default is ~/.ssh/identity for protocol
|
|
|
|
version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver-
|
|
|
|
sion 2. Additionally, any identities represented by the authen-
|
|
|
|
tication agent will be used for authentication.
|
|
|
|
|
|
|
|
The file name may use the tilde syntax to refer to a user's home
|
|
|
|
directory or one of the following escape characters: `%d' (local
|
|
|
|
user's home directory), `%u' (local user name), `%l' (local host
|
|
|
|
name), `%h' (remote host name) or `%r' (remote user name).
|
|
|
|
|
|
|
|
It is possible to have multiple identity files specified in con-
|
|
|
|
figuration files; all these identities will be tried in sequence.
|
|
|
|
|
2008-07-23 09:28:49 +00:00
|
|
|
KbdInteractiveAuthentication
|
|
|
|
Specifies whether to use keyboard-interactive authentication.
|
|
|
|
The argument to this keyword must be ``yes'' or ``no''. The de-
|
|
|
|
fault is ``yes''.
|
|
|
|
|
2008-07-23 09:15:38 +00:00
|
|
|
KbdInteractiveDevices
|
|
|
|
Specifies the list of methods to use in keyboard-interactive au-
|
|
|
|
thentication. Multiple method names must be comma-separated.
|
|
|
|
The default is to use the server specified list. The methods
|
|
|
|
available vary depending on what the server supports. For an
|
|
|
|
OpenSSH server, it may be zero or more of: ``bsdauth'', ``pam'',
|
|
|
|
and ``skey''.
|
|
|
|
|
|
|
|
LocalCommand
|
|
|
|
Specifies a command to execute on the local machine after suc-
|
|
|
|
cessfully connecting to the server. The command string extends
|
2008-07-23 09:28:49 +00:00
|
|
|
to the end of the line, and is executed with the user's shell.
|
2008-07-23 09:33:08 +00:00
|
|
|
The following escape character substitutions will be performed:
|
|
|
|
`%d' (local user's home directory), `%h' (remote host name), `%l'
|
|
|
|
(local host name), `%n' (host name as provided on the command
|
|
|
|
line), `%p' (remote port), `%r' (remote user name) or `%u' (local
|
|
|
|
user name). This directive is ignored unless PermitLocalCommand
|
|
|
|
has been enabled.
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
LocalForward
|
|
|
|
Specifies that a TCP port on the local machine be forwarded over
|
|
|
|
the secure channel to the specified host and port from the remote
|
|
|
|
machine. The first argument must be [bind_address:]port and the
|
|
|
|
second argument must be host:hostport. IPv6 addresses can be
|
|
|
|
specified by enclosing addresses in square brackets or by using
|
|
|
|
an alternative syntax: [bind_address/]port and host/hostport.
|
|
|
|
Multiple forwardings may be specified, and additional forwardings
|
|
|
|
can be given on the command line. Only the superuser can forward
|
|
|
|
privileged ports. By default, the local port is bound in accor-
|
|
|
|
dance with the GatewayPorts setting. However, an explicit
|
|
|
|
bind_address may be used to bind the connection to a specific ad-
|
|
|
|
dress. The bind_address of ``localhost'' indicates that the lis-
|
|
|
|
tening port be bound for local use only, while an empty address
|
|
|
|
or `*' indicates that the port should be available from all in-
|
|
|
|
terfaces.
|
|
|
|
|
|
|
|
LogLevel
|
|
|
|
Gives the verbosity level that is used when logging messages from
|
|
|
|
ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, VER-
|
|
|
|
BOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.
|
|
|
|
DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
|
|
|
|
higher levels of verbose output.
|
|
|
|
|
|
|
|
MACs Specifies the MAC (message authentication code) algorithms in or-
|
|
|
|
der of preference. The MAC algorithm is used in protocol version
|
|
|
|
2 for data integrity protection. Multiple algorithms must be
|
2008-07-23 09:23:42 +00:00
|
|
|
comma-separated. The default is:
|
|
|
|
|
|
|
|
hmac-md5,hmac-sha1,umac-64@openssh.com,
|
|
|
|
hmac-ripemd160,hmac-sha1-96,hmac-md5-96
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
NoHostAuthenticationForLocalhost
|
|
|
|
This option can be used if the home directory is shared across
|
|
|
|
machines. In this case localhost will refer to a different ma-
|
|
|
|
chine on each of the machines and the user will get many warnings
|
|
|
|
about changed host keys. However, this option disables host au-
|
|
|
|
thentication for localhost. The argument to this keyword must be
|
|
|
|
``yes'' or ``no''. The default is to check the host key for lo-
|
|
|
|
calhost.
|
|
|
|
|
|
|
|
NumberOfPasswordPrompts
|
|
|
|
Specifies the number of password prompts before giving up. The
|
|
|
|
argument to this keyword must be an integer. The default is 3.
|
|
|
|
|
|
|
|
PasswordAuthentication
|
|
|
|
Specifies whether to use password authentication. The argument
|
|
|
|
to this keyword must be ``yes'' or ``no''. The default is
|
|
|
|
``yes''.
|
|
|
|
|
|
|
|
PermitLocalCommand
|
|
|
|
Allow local command execution via the LocalCommand option or us-
|
|
|
|
ing the !command escape sequence in ssh(1). The argument must be
|
|
|
|
``yes'' or ``no''. The default is ``no''.
|
|
|
|
|
|
|
|
Port Specifies the port number to connect on the remote host. The de-
|
|
|
|
fault is 22.
|
|
|
|
|
|
|
|
PreferredAuthentications
|
|
|
|
Specifies the order in which the client should try protocol 2 au-
|
|
|
|
thentication methods. This allows a client to prefer one method
|
|
|
|
(e.g. keyboard-interactive) over another method (e.g. password)
|
|
|
|
The default for this option is: ``gssapi-with-mic,hostbased,
|
|
|
|
publickey, keyboard-interactive, password''.
|
|
|
|
|
|
|
|
Protocol
|
|
|
|
Specifies the protocol versions ssh(1) should support in order of
|
|
|
|
preference. The possible values are `1' and `2'. Multiple ver-
|
|
|
|
sions must be comma-separated. The default is ``2,1''. This
|
|
|
|
means that ssh tries version 2 and falls back to version 1 if
|
|
|
|
version 2 is not available.
|
|
|
|
|
|
|
|
ProxyCommand
|
|
|
|
Specifies the command to use to connect to the server. The com-
|
|
|
|
mand string extends to the end of the line, and is executed with
|
2008-07-23 09:28:49 +00:00
|
|
|
the user's shell. In the command string, `%h' will be substitut-
|
|
|
|
ed by the host name to connect and `%p' by the port. The command
|
|
|
|
can be basically anything, and should read from its standard in-
|
|
|
|
put and write to its standard output. It should eventually con-
|
|
|
|
nect an sshd(8) server running on some machine, or execute sshd
|
|
|
|
-i somewhere. Host key management will be done using the Host-
|
|
|
|
Name of the host being connected (defaulting to the name typed by
|
|
|
|
the user). Setting the command to ``none'' disables this option
|
|
|
|
entirely. Note that CheckHostIP is not available for connects
|
|
|
|
with a proxy command.
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
This directive is useful in conjunction with nc(1) and its proxy
|
|
|
|
support. For example, the following directive would connect via
|
|
|
|
an HTTP proxy at 192.0.2.0:
|
|
|
|
|
|
|
|
ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
|
|
|
|
|
|
|
|
PubkeyAuthentication
|
|
|
|
Specifies whether to try public key authentication. The argument
|
|
|
|
to this keyword must be ``yes'' or ``no''. The default is
|
|
|
|
``yes''. This option applies to protocol version 2 only.
|
|
|
|
|
|
|
|
RekeyLimit
|
|
|
|
Specifies the maximum amount of data that may be transmitted be-
|
|
|
|
fore the session key is renegotiated. The argument is the number
|
|
|
|
of bytes, with an optional suffix of `K', `M', or `G' to indicate
|
|
|
|
Kilobytes, Megabytes, or Gigabytes, respectively. The default is
|
|
|
|
between `1G' and `4G', depending on the cipher. This option ap-
|
|
|
|
plies to protocol version 2 only.
|
|
|
|
|
|
|
|
RemoteForward
|
|
|
|
Specifies that a TCP port on the remote machine be forwarded over
|
|
|
|
the secure channel to the specified host and port from the local
|
|
|
|
machine. The first argument must be [bind_address:]port and the
|
|
|
|
second argument must be host:hostport. IPv6 addresses can be
|
|
|
|
specified by enclosing addresses in square brackets or by using
|
|
|
|
an alternative syntax: [bind_address/]port and host/hostport.
|
|
|
|
Multiple forwardings may be specified, and additional forwardings
|
2009-02-24 18:49:27 +00:00
|
|
|
can be given on the command line. Privileged ports can be for-
|
|
|
|
warded only when logging in as root on the remote machine.
|
|
|
|
|
|
|
|
If the port argument is `0', the listen port will be dynamically
|
|
|
|
allocated on the server and reported to the client at run time.
|
2008-07-23 09:15:38 +00:00
|
|
|
|
|
|
|
If the bind_address is not specified, the default is to only bind
|
|
|
|
to loopback addresses. If the bind_address is `*' or an empty
|
|
|
|
string, then the forwarding is requested to listen on all inter-
|
|
|
|
faces. Specifying a remote bind_address will only succeed if the
|
|
|
|
server's GatewayPorts option is enabled (see sshd_config(5)).
|
|
|
|
|
|
|
|
RhostsRSAAuthentication
|
|
|
|
Specifies whether to try rhosts based authentication with RSA
|
|
|
|
host authentication. The argument must be ``yes'' or ``no''.
|
|
|
|
The default is ``no''. This option applies to protocol version 1
|
|
|
|
only and requires ssh(1) to be setuid root.
|
|
|
|
|
|
|
|
RSAAuthentication
|
|
|
|
Specifies whether to try RSA authentication. The argument to
|
|
|
|
this keyword must be ``yes'' or ``no''. RSA authentication will
|
|
|
|
only be attempted if the identity file exists, or an authentica-
|
|
|
|
tion agent is running. The default is ``yes''. Note that this
|
|
|
|
option applies to protocol version 1 only.
|
|
|
|
|
|
|
|
SendEnv
|
|
|
|
Specifies what variables from the local environ(7) should be sent
|
|
|
|
to the server. Note that environment passing is only supported
|
|
|
|
for protocol 2. The server must also support it, and the server
|
|
|
|
must be configured to accept these environment variables. Refer
|
|
|
|
to AcceptEnv in sshd_config(5) for how to configure the server.
|
|
|
|
Variables are specified by name, which may contain wildcard char-
|
|
|
|
acters. Multiple environment variables may be separated by
|
|
|
|
whitespace or spread across multiple SendEnv directives. The de-
|
|
|
|
fault is not to send any environment variables.
|
|
|
|
|
|
|
|
See PATTERNS for more information on patterns.
|
|
|
|
|
|
|
|
ServerAliveCountMax
|
|
|
|
Sets the number of server alive messages (see below) which may be
|
|
|
|
sent without ssh(1) receiving any messages back from the server.
|
|
|
|
If this threshold is reached while server alive messages are be-
|
|
|
|
ing sent, ssh will disconnect from the server, terminating the
|
|
|
|
session. It is important to note that the use of server alive
|
|
|
|
messages is very different from TCPKeepAlive (below). The server
|
|
|
|
alive messages are sent through the encrypted channel and there-
|
|
|
|
fore will not be spoofable. The TCP keepalive option enabled by
|
|
|
|
TCPKeepAlive is spoofable. The server alive mechanism is valu-
|
|
|
|
able when the client or server depend on knowing when a connec-
|
|
|
|
tion has become inactive.
|
|
|
|
|
|
|
|
The default value is 3. If, for example, ServerAliveInterval
|
|
|
|
(see below) is set to 15 and ServerAliveCountMax is left at the
|
|
|
|
default, if the server becomes unresponsive, ssh will disconnect
|
|
|
|
after approximately 45 seconds. This option applies to protocol
|
|
|
|
version 2 only.
|
|
|
|
|
|
|
|
ServerAliveInterval
|
|
|
|
Sets a timeout interval in seconds after which if no data has
|
|
|
|
been received from the server, ssh(1) will send a message through
|
|
|
|
the encrypted channel to request a response from the server. The
|
|
|
|
default is 0, indicating that these messages will not be sent to
|
|
|
|
the server. This option applies to protocol version 2 only.
|
|
|
|
|
|
|
|
SmartcardDevice
|
|
|
|
Specifies which smartcard device to use. The argument to this
|
|
|
|
keyword is the device ssh(1) should use to communicate with a
|
|
|
|
smartcard used for storing the user's private RSA key. By de-
|
|
|
|
fault, no device is specified and smartcard support is not acti-
|
|
|
|
vated.
|
|
|
|
|
|
|
|
StrictHostKeyChecking
|
|
|
|
If this flag is set to ``yes'', ssh(1) will never automatically
|
|
|
|
add host keys to the ~/.ssh/known_hosts file, and refuses to con-
|
|
|
|
nect to hosts whose host key has changed. This provides maximum
|
|
|
|
protection against trojan horse attacks, though it can be annoy-
|
|
|
|
ing when the /etc/ssh/ssh_known_hosts file is poorly maintained
|
|
|
|
or when connections to new hosts are frequently made. This op-
|
|
|
|
tion forces the user to manually add all new hosts. If this flag
|
|
|
|
is set to ``no'', ssh will automatically add new host keys to the
|
|
|
|
user known hosts files. If this flag is set to ``ask'', new host
|
|
|
|
keys will be added to the user known host files only after the
|
|
|
|
user has confirmed that is what they really want to do, and ssh
|
|
|
|
will refuse to connect to hosts whose host key has changed. The
|
|
|
|
host keys of known hosts will be verified automatically in all
|
|
|
|
cases. The argument must be ``yes'', ``no'', or ``ask''. The
|
|
|
|
default is ``ask''.
|
|
|
|
|
|
|
|
TCPKeepAlive
|
|
|
|
Specifies whether the system should send TCP keepalive messages
|
|
|
|
to the other side. If they are sent, death of the connection or
|
|
|
|
crash of one of the machines will be properly noticed. However,
|
|
|
|
this means that connections will die if the route is down tem-
|
|
|
|
porarily, and some people find it annoying.
|
|
|
|
|
|
|
|
The default is ``yes'' (to send TCP keepalive messages), and the
|
|
|
|
client will notice if the network goes down or the remote host
|
|
|
|
dies. This is important in scripts, and many users want it too.
|
|
|
|
|
|
|
|
To disable TCP keepalive messages, the value should be set to
|
|
|
|
``no''.
|
|
|
|
|
|
|
|
Tunnel Request tun(4) device forwarding between the client and the serv-
|
|
|
|
er. The argument must be ``yes'', ``point-to-point'' (layer 3),
|
|
|
|
``ethernet'' (layer 2), or ``no''. Specifying ``yes'' requests
|
|
|
|
the default tunnel mode, which is ``point-to-point''. The de-
|
|
|
|
fault is ``no''.
|
|
|
|
|
|
|
|
TunnelDevice
|
|
|
|
Specifies the tun(4) devices to open on the client (local_tun)
|
|
|
|
and the server (remote_tun).
|
|
|
|
|
|
|
|
The argument must be local_tun[:remote_tun]. The devices may be
|
|
|
|
specified by numerical ID or the keyword ``any'', which uses the
|
|
|
|
next available tunnel device. If remote_tun is not specified, it
|
|
|
|
defaults to ``any''. The default is ``any:any''.
|
|
|
|
|
|
|
|
UsePrivilegedPort
|
|
|
|
Specifies whether to use a privileged port for outgoing connec-
|
|
|
|
tions. The argument must be ``yes'' or ``no''. The default is
|
|
|
|
``no''. If set to ``yes'', ssh(1) must be setuid root. Note
|
|
|
|
that this option must be set to ``yes'' for
|
|
|
|
RhostsRSAAuthentication with older servers.
|
|
|
|
|
|
|
|
User Specifies the user to log in as. This can be useful when a dif-
|
|
|
|
ferent user name is used on different machines. This saves the
|
|
|
|
trouble of having to remember to give the user name on the com-
|
|
|
|
mand line.
|
|
|
|
|
|
|
|
UserKnownHostsFile
|
|
|
|
Specifies a file to use for the user host key database instead of
|
|
|
|
~/.ssh/known_hosts.
|
|
|
|
|
|
|
|
VerifyHostKeyDNS
|
|
|
|
Specifies whether to verify the remote key using DNS and SSHFP
|
|
|
|
resource records. If this option is set to ``yes'', the client
|
|
|
|
will implicitly trust keys that match a secure fingerprint from
|
|
|
|
DNS. Insecure fingerprints will be handled as if this option was
|
|
|
|
set to ``ask''. If this option is set to ``ask'', information on
|
|
|
|
fingerprint match will be displayed, but the user will still need
|
|
|
|
to confirm new host keys according to the StrictHostKeyChecking
|
|
|
|
option. The argument must be ``yes'', ``no'', or ``ask''. The
|
|
|
|
default is ``no''. Note that this option applies to protocol
|
|
|
|
version 2 only.
|
|
|
|
|
|
|
|
See also VERIFYING HOST KEYS in ssh(1).
|
|
|
|
|
2008-07-23 09:33:08 +00:00
|
|
|
VisualHostKey
|
|
|
|
If this flag is set to ``yes'', an ASCII art representation of
|
2009-02-24 18:49:27 +00:00
|
|
|
the remote host key fingerprint is printed in addition to the hex
|
|
|
|
fingerprint string at login and for unknown host keys. If this
|
|
|
|
flag is set to ``no'', no fingerprint strings are printed at lo-
|
|
|
|
gin and only the hex fingerprint string will be printed for un-
|
|
|
|
known host keys. The default is ``no''.
|
2008-07-23 09:33:08 +00:00
|
|
|
|
2008-07-23 09:15:38 +00:00
|
|
|
XAuthLocation
|
|
|
|
Specifies the full pathname of the xauth(1) program. The default
|
|
|
|
is /usr/X11R6/bin/xauth.
|
|
|
|
|
|
|
|
PATTERNS
|
|
|
|
A pattern consists of zero or more non-whitespace characters, `*' (a
|
|
|
|
wildcard that matches zero or more characters), or `?' (a wildcard that
|
|
|
|
matches exactly one character). For example, to specify a set of decla-
|
|
|
|
rations for any host in the ``.co.uk'' set of domains, the following pat-
|
|
|
|
tern could be used:
|
|
|
|
|
|
|
|
Host *.co.uk
|
|
|
|
|
|
|
|
The following pattern would match any host in the 192.168.0.[0-9] network
|
|
|
|
range:
|
|
|
|
|
|
|
|
Host 192.168.0.?
|
|
|
|
|
|
|
|
A pattern-list is a comma-separated list of patterns. Patterns within
|
|
|
|
pattern-lists may be negated by preceding them with an exclamation mark
|
|
|
|
(`!'). For example, to allow a key to be used from anywhere within an
|
|
|
|
organisation except from the ``dialup'' pool, the following entry (in au-
|
|
|
|
thorized_keys) could be used:
|
|
|
|
|
|
|
|
from="!*.dialup.example.com,*.example.com"
|
|
|
|
|
|
|
|
FILES
|
|
|
|
~/.ssh/config
|
|
|
|
This is the per-user configuration file. The format of this file
|
|
|
|
is described above. This file is used by the SSH client. Be-
|
|
|
|
cause of the potential for abuse, this file must have strict per-
|
|
|
|
missions: read/write for the user, and not accessible by others.
|
|
|
|
|
|
|
|
/etc/ssh/ssh_config
|
|
|
|
Systemwide configuration file. This file provides defaults for
|
|
|
|
those values that are not specified in the user's configuration
|
|
|
|
file, and for those users who do not have a configuration file.
|
|
|
|
This file must be world-readable.
|
|
|
|
|
|
|
|
SEE ALSO
|
|
|
|
ssh(1)
|
|
|
|
|
|
|
|
AUTHORS
|
|
|
|
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
|
|
|
|
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
|
|
|
|
de Raadt and Dug Song removed many bugs, re-added newer features and cre-
|
|
|
|
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
|
|
|
|
versions 1.5 and 2.0.
|
|
|
|
|
2009-10-01 15:19:37 +00:00
|
|
|
OpenBSD 4.6 February 22, 2009 11
|