Print this page
3477 SunSSH config should accept TCPKeepAlive as synonym for KeepAlive
Reviewed by: Jerry Jelinek <jerry@joyent.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man4/ssh_config.4
+++ new/usr/src/man/man4/ssh_config.4
1 1 '\" te
2 2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
3 +.\" Copyright (c) 2013, Joyent, Inc. All Rights Reserved.
3 4 .\" To view Portions Copyright for OpenSSH, the default path is /var/sadm/pkg/SUNWsshdr/install/copyright. If the Solaris operating environment has been installed anywhere other than the default, modify the specified path to access the file at the installed location.
4 5 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
5 6 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
6 7 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 -.TH SSH_CONFIG 4 "Apr 20, 2009"
8 +.TH SSH_CONFIG 4 "Jan 17, 2013"
8 9 .SH NAME
9 10 ssh_config \- ssh configuration file
10 11 .SH SYNOPSIS
11 12 .LP
12 13 .nf
13 14 \fB/etc/ssh/ssh_config\fR
14 15 .fi
15 16
16 17 .LP
17 18 .nf
18 19 \fB$HOME/.ssh/config\fR
19 20 .fi
20 21
21 22 .SH DESCRIPTION
22 23 .sp
23 24 .LP
24 25 The first \fBssh_config\fR path, above, provides the system-wide defaults for
25 26 \fBssh\fR(1). The second version is user-specific defaults for \fBssh\fR.
26 27 .sp
27 28 .LP
28 29 \fBssh\fR obtains configuration data from the following sources, in this order:
29 30 command line options, user's configuration file (\fB$HOME/.ssh/config\fR), and
30 31 system-wide configuration file (\fB/etc/ssh/ssh_config\fR). For each parameter,
31 32 the first obtained value is used. The configuration files contain sections
32 33 bracketed by \fBHost\fR specifications, and that section is applied only for
33 34 hosts that match one of the patterns given in the specification. The matched
34 35 host name is the one given on the command line.
35 36 .sp
36 37 .LP
37 38 Since the first obtained value for each parameter is used, host-specific
38 39 declarations should be given near the beginning of the file, and general
39 40 defaults at the end.
40 41 .sp
41 42 .LP
42 43 The configuration file has the following format and syntax:
43 44 .RS +4
44 45 .TP
45 46 .ie t \(bu
46 47 .el o
47 48 Empty lines and lines starting with \fB#\fR are comments.
48 49 .RE
49 50 .RS +4
50 51 .TP
51 52 .ie t \(bu
52 53 .el o
53 54 Non-commented lines are of the form:
54 55 .sp
55 56 .in +2
56 57 .nf
57 58 \fIkeyword\fR \fIarguments\fR
58 59 .fi
59 60 .in -2
60 61 .sp
61 62
62 63 .RE
63 64 .RS +4
64 65 .TP
65 66 .ie t \(bu
66 67 .el o
67 68 Configuration options can be separated by white space or optional whitespace
68 69 and exactly one equal sign. The latter format allows you to avoid the need to
69 70 quote white space when specifying configuration options using the \fB-o\fR
70 71 option to \fBssh\fR, \fBscp\fR, and \fBsftp\fR.
71 72 .RE
72 73 .sp
73 74 .LP
74 75 The possible keywords and their meanings are listed in the following
75 76 list.Keywords are case-insensitive and arguments are case-sensitive.
76 77 .sp
77 78 .ne 2
78 79 .na
79 80 \fB\fBBatchMode\fR\fR
80 81 .ad
81 82 .sp .6
82 83 .RS 4n
83 84 The argument must be \fByes\fR or \fBno\fR. If set to \fByes\fR,
84 85 passphrase/password querying is disabled. This option is useful in scripts and
85 86 other batch jobs where you have no user to supply the password.
86 87 .RE
87 88
88 89 .sp
89 90 .ne 2
90 91 .na
91 92 \fB\fBBindAddress\fR\fR
92 93 .ad
93 94 .sp .6
94 95 .RS 4n
95 96 Specify the interface to transmit from on machines with multiple interfaces or
96 97 aliased addresses. This option does not work if \fBUsePrivilegedPort\fR is set
97 98 to \fByes\fR.
98 99 .RE
99 100
100 101 .sp
101 102 .ne 2
102 103 .na
103 104 \fB\fBCheckHostIP\fR\fR
104 105 .ad
105 106 .sp .6
106 107 .RS 4n
107 108 If this flag is set to \fByes\fR, \fBssh\fR additionally checks the host IP
108 109 address in the \fBknown_hosts\fR file. This allows \fBssh\fR to detect if a
109 110 host key changed due to DNS spoofing. If the option is set to \fBno\fR, the
110 111 check is not executed.
111 112 .RE
112 113
113 114 .sp
114 115 .ne 2
115 116 .na
116 117 \fB\fBCipher\fR\fR
117 118 .ad
118 119 .sp .6
119 120 .RS 4n
120 121 Specifies the cipher to use for encrypting the session in protocol version 1.
121 122 Only a single cipher can be specified. Currently, \fBblowfish, 3des,\fR and
122 123 \fBdes\fR are supported. \fB3des\fR (triple-\fBdes\fR) is an
123 124 encrypt-decrypt-encrypt triple with three different keys. It is believed to be
124 125 secure. \fBblowfish\fR is a fast block cipher. It appears very secure and is
125 126 much faster than \fB3des\fR. \fBdes\fR is only supported in the \fBssh\fR
126 127 client for interoperability with legacy protocol 1 implementations that do not
127 128 support the \fB3des\fR cipher. Its use is strongly discouraged due to
128 129 cryptographic weaknesses. The default is \fB3des\fR.
129 130 .RE
130 131
131 132 .sp
132 133 .ne 2
133 134 .na
134 135 \fB\fBCiphers\fR\fR
135 136 .ad
136 137 .sp .6
137 138 .RS 4n
138 139 Specifies the ciphers allowed for protocol version 2 in order of preference.
139 140 Multiple ciphers must be comma separated.
140 141 .sp
141 142 The default cipher list contains all supported ciphers in this order:
142 143 .sp
143 144 .in +2
144 145 .nf
145 146 aes128-ctr, aes192-ctr, aes256-ctr, arcfour128, arcfour256, arcfour, aes128-cbc,
146 147 aes192-cbc, aes256-cbc, arcfour, 3des-cbc,blowfish-cbc
147 148 .fi
148 149 .in -2
149 150 .sp
150 151
151 152 While CBC modes are not considered as secure as other modes in connection with
152 153 the SSH protocol 2 they are present at the back of the default client cipher
153 154 list for backward compatibility with SSH servers that do not support other
154 155 cipher modes.
155 156 .RE
156 157
157 158 .sp
158 159 .ne 2
159 160 .na
160 161 \fB\fBClearAllForwardings\fR\fR
161 162 .ad
162 163 .sp .6
163 164 .RS 4n
164 165 Specifies that all local, remote, and dynamic port forwardings specified in the
165 166 configuration files or on the command line be cleared. This option is primarily
166 167 useful when used from the \fBssh\fR command line to clear port forwardings set
167 168 in configuration files and is automatically set by \fBscp\fR(1) and
168 169 \fBsftp\fR(1). The argument must be \fByes\fR or \fBno\fR. The default is
169 170 \fBno\fR.
170 171 .RE
171 172
172 173 .sp
173 174 .ne 2
174 175 .na
175 176 \fB\fBCompression\fR\fR
176 177 .ad
177 178 .sp .6
178 179 .RS 4n
179 180 Specifies whether to use compression. The argument must be \fByes\fR or
180 181 \fBno\fR. Defaults to \fBno\fR.
181 182 .RE
182 183
183 184 .sp
184 185 .ne 2
185 186 .na
186 187 \fB\fBCompressionLevel\fR\fR
187 188 .ad
188 189 .sp .6
189 190 .RS 4n
190 191 Specifies the compression level to use if compression is enabled. The argument
191 192 must be an integer from 1 (fast) to 9 (slow, best). The default level is 6,
192 193 which is good for most applications. This option applies to protocol version 1
193 194 only.
194 195 .RE
195 196
196 197 .sp
197 198 .ne 2
198 199 .na
199 200 \fB\fBConnectionAttempts\fR\fR
200 201 .ad
201 202 .sp .6
202 203 .RS 4n
203 204 Specifies the number of tries (one per second) to make before falling back to
204 205 \fBrsh\fR or exiting. The argument must be an integer. This can be useful in
205 206 scripts if the connection sometimes fails. The default is 1.
206 207 .RE
207 208
208 209 .sp
209 210 .ne 2
210 211 .na
211 212 \fB\fBConnectTimeout\fR\fR
212 213 .ad
213 214 .sp .6
214 215 .RS 4n
215 216 Specifies the timeout (in seconds) used when connecting to the \fBssh\fR
216 217 server, instead of using the default system TCP timeout. This value is used
217 218 only when the target is down or truly unreachable, not when it refuses the
218 219 connection.
219 220 .RE
220 221
221 222 .sp
222 223 .ne 2
223 224 .na
224 225 \fB\fBDisableBanner\fR\fR
225 226 .ad
226 227 .sp .6
227 228 .RS 4n
228 229 If set to \fByes\fR, disables the display of the banner message. If set to
229 230 \fBin-exec-mode\fR, disables the display of banner message when in remote
230 231 command mode only.
231 232 .sp
232 233 The default value is \fBno\fR, which means that the banner is displayed unless
233 234 the log level is \fBQUIET\fR, \fBFATAL\fR, or \fBERROR\fR. See also the
234 235 \fBBanner\fR option in \fBsshd_config\fR(4). This option applies to protocol
235 236 version 2 only.
236 237 .RE
237 238
238 239 .sp
239 240 .ne 2
240 241 .na
241 242 \fB\fBDynamicForward\fR\fR
242 243 .ad
243 244 .sp .6
244 245 .RS 4n
245 246 Specifies that a TCP/IP port on the local machine be forwarded over the secure
246 247 channel. The application protocol is then used to determine where to connect to
247 248 from the remote machine.
248 249 .sp
249 250 The argument must be \fB[\fR\fIbind_address\fR\fB:]\fR\fIport\fR. IPv6
250 251 addresses can be specified by enclosing addresses in square brackets or by
251 252 using an alternative syntax: \fB[\fR\fIbind_address\fR\fB/]\fR\fIport\fR. By
252 253 default, the local port is bound in accordance with the \fBGatewayPorts\fR
253 254 setting. However, an explicit \fIbind_address\fR can be used to bind the
254 255 connection to a specific address. The \fIbind_address\fR of \fBlocalhost\fR
255 256 indicates that the listening port be bound for local use only, while an empty
256 257 address or \fB*\fR indicates that the port should be available from all
257 258 interfaces.
258 259 .sp
259 260 Currently the \fBSOCKS4\fR and \fBSOCKS5\fR protocols are supported, and
260 261 \fBssh\fR acts as a \fBSOCKS\fR server. Multiple forwardings can be specified
261 262 and additional forwardings can be specified on the command line. Only a user
262 263 with enough privileges can forward privileged ports.
263 264 .RE
264 265
265 266 .sp
266 267 .ne 2
267 268 .na
268 269 \fB\fBEscapeChar\fR\fR
269 270 .ad
270 271 .sp .6
271 272 .RS 4n
272 273 Sets the escape character. The default is tilde (\fB~\fR). The escape character
273 274 can also be set on the command line. The argument should be a single character,
274 275 \fB^\fR, followed by a letter, or \fBnone\fR to disable the escape character
275 276 entirely (making the connection transparent for binary data).
276 277 .RE
277 278
278 279 .sp
279 280 .ne 2
280 281 .na
281 282 \fB\fBFallBackToRsh\fR\fR
282 283 .ad
283 284 .sp .6
284 285 .RS 4n
285 286 Specifies that if connecting with \fBssh\fR fails due to a connection refused
286 287 error (there is no \fBsshd\fR(1M) listening on the remote host), \fBrsh\fR(1)
287 288 should automatically be used instead (after a suitable warning about the
288 289 session being unencrypted). The argument must be \fByes\fR or \fBno\fR.
289 290 .RE
290 291
291 292 .sp
292 293 .ne 2
293 294 .na
294 295 \fB\fBForwardAgent\fR\fR
295 296 .ad
296 297 .sp .6
297 298 .RS 4n
298 299 Specifies whether the connection to the authentication agent (if any) is
299 300 forwarded to the remote machine. The argument must be \fByes\fR or \fBno\fR.
300 301 The default is \fBno\fR.
301 302 .sp
302 303 Agent forwarding should be enabled with caution. Users with the ability to
303 304 bypass file permissions on the remote host (for the agent's Unix-domain socket)
304 305 can access the local agent through the forwarded connection. An attacker cannot
305 306 obtain key material from the agent, however he can perform operations on the
306 307 keys that enable him to authenticate using the identities loaded into the
307 308 agent.
308 309 .RE
309 310
310 311 .sp
311 312 .ne 2
312 313 .na
313 314 \fB\fBForwardX11\fR\fR
314 315 .ad
315 316 .sp .6
316 317 .RS 4n
317 318 Specifies whether X11 connections are automatically redirected over the secure
318 319 channel and \fBDISPLAY\fR set. The argument must be \fByes\fR or \fBno\fR. The
319 320 default is \fBno\fR.
320 321 .sp
321 322 X11 forwarding should be enabled with caution. Users with the ability to bypass
322 323 file permissions on the remote host (for the user's X authorization database)
323 324 can access the local \fBX11\fR display through the forwarded connection. An
324 325 attacker might then be able to perform activities such as keystroke monitoring.
325 326 See the \fBForwardX11Trusted\fR option for more information how to prevent
326 327 this.
327 328 .RE
328 329
329 330 .sp
330 331 .ne 2
331 332 .na
332 333 \fB\fBForwardX11Trusted\fR\fR
333 334 .ad
334 335 .sp .6
335 336 .RS 4n
336 337 If this option is set to \fByes\fR, remote X11 clients have full access to the
337 338 original X11 display. This option is set to \fByes\fR by default.
338 339 .sp
339 340 If this option is set to \fBno\fR, remote X11 clients are considered untrusted
340 341 and prevented from stealing or tampering with data belonging to trusted X11
341 342 clients. Furthermore, the \fBxauth\fR(1) token used for the session is set to
342 343 expire after 20 minutes. Remote clients are refused access after this time.
343 344 .sp
344 345 See the X11 SECURITY extension specification for full details on the
345 346 restrictions imposed on untrusted clients.
346 347 .RE
347 348
348 349 .sp
349 350 .ne 2
350 351 .na
351 352 \fB\fBGatewayPorts\fR\fR
352 353 .ad
353 354 .sp .6
354 355 .RS 4n
355 356 Specifies whether remote hosts are allowed to connect to local forwarded ports.
356 357 By default, \fBssh\fR binds local port forwardings to the loopback address.
357 358 This prevents other remote hosts from connecting to forwarded ports.
358 359 \fBGatewayPorts\fR can be used to specify that \fBssh\fR should bind local port
359 360 forwardings to the wildcard address, thus allowing remote hosts to connect to
360 361 forwarded ports. The argument must be \fByes\fR or \fBno\fR. The default is
361 362 \fBno\fR.
362 363 .RE
363 364
364 365 .sp
365 366 .ne 2
366 367 .na
367 368 \fB\fBGlobalKnownHostsFile\fR\fR
368 369 .ad
369 370 .sp .6
370 371 .RS 4n
371 372 Specifies a file to use instead of \fB/etc/ssh/ssh_known_hosts\fR.
372 373 .RE
373 374
374 375 .sp
375 376 .ne 2
376 377 .na
377 378 \fB\fBGSSAPIAuthentication\fR\fR
378 379 .ad
379 380 .sp .6
380 381 .RS 4n
381 382 Enables/disables GSS-API user authentication. The default is \fByes\fR.
382 383 .RE
383 384
384 385 .sp
385 386 .ne 2
386 387 .na
387 388 \fB\fBGSSAPIDelegateCredentials\fR\fR
388 389 .ad
389 390 .sp .6
390 391 .RS 4n
391 392 Enables/disables GSS-API credential forwarding. The default is \fBno\fR.
392 393 .RE
393 394
394 395 .sp
395 396 .ne 2
396 397 .na
397 398 \fB\fBGSSAPIKeyExchange\fR\fR
398 399 .ad
399 400 .sp .6
400 401 .RS 4n
401 402 Enables/disables GSS-API-authenticated key exchanges. The default is \fByes\fR.
402 403 .sp
403 404 This option is intended primarily to allow users to disable the use of GSS-API
404 405 key exchange for SSHv2 when it would otherwise be selected and then fail (due
405 406 to server misconfiguration, for example). SSHv2 key exchange failure always
406 407 results in disconnection.
407 408 .sp
408 409 This option also enables the use of the GSS-API to authenticate the user to the
409 410 server after the key exchange. GSS-API key exchange can succeed but the
410 411 subsequent authentication using the GSS-API fail if the server does not
411 412 authorize the user's GSS principal name to the target user account.
412 413 .RE
413 414
414 415 .sp
415 416 .ne 2
416 417 .na
417 418 \fB\fBHashKnownHosts\fR\fR
418 419 .ad
419 420 .sp .6
420 421 .RS 4n
421 422 Indicates that \fBssh\fR(1), should hash host names and addresses when they are
422 423 added to \fB~/.ssh/known_hosts\fR. These hashed names can be used normally by
423 424 \fBssh\fR(1) and \fBsshd\fR(1M), but they do not reveal identifying information
424 425 should the file's contents be disclosed. The default is \fBno\fR. Existing
425 426 names and addresses in known hosts files are not be converted automatically,
426 427 but can be manually hashed using \fBssh-keygen\fR(1).
427 428 .RE
428 429
429 430 .sp
430 431 .ne 2
431 432 .na
432 433 \fB\fBHost\fR\fR
433 434 .ad
434 435 .sp .6
435 436 .RS 4n
436 437 Restricts the following declarations (up to the next \fBHost\fR keyword) to be
437 438 only for those hosts that match one of the patterns given after the keyword. An
438 439 asterisk (\fB*\fR) and a question mark (\fB?\fR) can be used as wildcards in
439 440 the patterns. A single asterisk as a pattern can be used to provide global
440 441 defaults for all hosts. The host is the host name argument given on the command
441 442 line (that is, the name is not converted to a canonicalized host name before
442 443 matching).
443 444 .RE
444 445
445 446 .sp
446 447 .ne 2
447 448 .na
448 449 \fB\fBHostbasedAuthentication\fR\fR
449 450 .ad
450 451 .sp .6
451 452 .RS 4n
452 453 Specifies whether to try \fBrhosts\fR-based authentication with public key
453 454 authentication. The argument must be \fByes\fR or \fBno\fR. The default is
454 455 \fBno\fR. This option applies to protocol version 2 only and is similar to
455 456 \fBRhostsRSAAuthentication\fR.
456 457 .RE
457 458
458 459 .sp
459 460 .ne 2
460 461 .na
461 462 \fB\fBHostKeyAlgorithms\fR\fR
462 463 .ad
463 464 .sp .6
464 465 .RS 4n
465 466 Specifies the protocol version 2 host key algorithms that the client wants to
466 467 use in order of preference. The default for this option is:
467 468 \fBssh-rsa,ssh-dss\fR.
468 469 .RE
469 470
470 471 .sp
471 472 .ne 2
472 473 .na
473 474 \fB\fBHostKeyAlias\fR\fR
474 475 .ad
475 476 .sp .6
476 477 .RS 4n
477 478 Specifies an alias that should be used instead of the real host name when
478 479 looking up or saving the host key in the host key database files. This option
479 480 is useful for tunneling \fBssh\fR connections or for multiple servers running
480 481 on a single host.
481 482 .RE
482 483
483 484 .sp
484 485 .ne 2
485 486 .na
486 487 \fB\fBHostName\fR\fR
487 488 .ad
488 489 .sp .6
489 490 .RS 4n
490 491 Specifies the real host name to log into. This can be used to specify nicknames
491 492 or abbreviations for hosts. Default is the name given on the command line.
492 493 Numeric IP addresses are also permitted (both on the command line and in
493 494 \fBHostName\fR specifications).
494 495 .RE
495 496
496 497 .sp
497 498 .ne 2
498 499 .na
499 500 \fB\fBIdentityFile\fR\fR
500 501 .ad
501 502 .sp .6
502 503 .RS 4n
503 504 Specifies a file from which the user's RSA or DSA authentication identity is
504 505 read. The default is \fB$HOME/.ssh/identity\fR for protocol version 1 and
505 506 \fB$HOME/.ssh/id_rsa\fR and \fB$HOME/.ssh/id_dsa\fR for protocol version 2.
506 507 Additionally, any identities represented by the authentication agent is used
507 508 for authentication. The file name can use the tilde syntax to refer to a user's
508 509 home directory. It is possible to have multiple identity files specified in
509 510 configuration files; all these identities is tried in sequence.
510 511 .RE
511 512
512 513 .sp
513 514 .ne 2
514 515 .na
515 516 \fB\fBIgnoreIfUnknown\fR\fR
516 517 .ad
517 518 .sp .6
518 519 .RS 4n
519 520 Specifies a comma-separated list of \fBssh_config\fR parameters, which, if
520 521 unknown to \fBssh\fR(1), are to be ignored by \fBssh\fR.
|
↓ open down ↓ |
503 lines elided |
↑ open up ↑ |
521 522 .sp
522 523 This parameter is primarily intended to be used in the per-user
523 524 \fBssh_config\fR, \fB~/.ssh/config\fR. While this parameter can also be used in
524 525 the system wide \fB/etc/ssh/ssh_config\fR file, it is generally useless as the
525 526 capabilities of the \fBssh\fR(1) client on that host should match that file.
526 527 .RE
527 528
528 529 .sp
529 530 .ne 2
530 531 .na
531 -\fB\fBKeepAlive\fR\fR
532 +\fB\fBTCPKeepAlive\fR\fR
532 533 .ad
533 534 .sp .6
534 535 .RS 4n
535 536 Specifies whether the system should send TCP keepalive messages to the other
536 537 side. If they are sent, death of the connection or crash of one of the machines
537 538 is properly noticed. However, this means that connections die if the route is
538 539 down temporarily, which can be a source of annoyance.
539 540 .sp
540 541 The default is \fByes\fR (to send keepalives), which means the client notices
541 542 if the network goes down or the remote host dies. This is important in scripts,
542 543 and many users want it too. To disable keepalives, the value should be set to
543 544 \fBno\fR in both the server and the client configuration files.
544 545 .RE
545 546
546 547 .sp
547 548 .ne 2
548 549 .na
549 550 \fB\fBLocalForward\fR\fR
550 551 .ad
551 552 .sp .6
552 553 .RS 4n
553 554 Specifies that a TCP/IP port on the local machine be forwarded over the secure
554 555 channel to a given \fIhost\fR:\fIport\fR from the remote machine. The first
555 556 argument must be \fB[\fR\fIbind_address\fR\fB:]\fR\fIport\fR and the second
556 557 must be \fIhost\fR\fB:\fR\fIport\fR. IPv6 addresses can be specified by
557 558 enclosing addresses in square brackets or by using an alternative syntax:
558 559 \fB[\fR\fIbind_address\fR\fB/]\fR\fIport\fR and \fIhost\fR\fB/\fR\fIport\fR.
559 560 Multiple forwardings can be specified and additional forwardings can be given
560 561 on the command line. Only a user with enough privileges can forward privileged
561 562 ports. By default, the local port is bound in accordance with the
562 563 \fBGatewayPorts\fR setting. However, an explicit \fIbind_address\fR can be used
563 564 to bind the connection to a specific address. The \fIbind_address\fR of
564 565 \fIlocalhost\fR indicates that the listening port be bound for local use only,
565 566 while an empty address or \fB*\fR indicates that the port should be available
566 567 from all interfaces.
567 568 .RE
568 569
569 570 .sp
570 571 .ne 2
571 572 .na
572 573 \fB\fBLogLevel\fR\fR
573 574 .ad
574 575 .sp .6
575 576 .RS 4n
576 577 Gives the verbosity level that is used when logging messages from \fBssh\fR.
577 578 The possible values are: \fBFATAL\fR, \fBERROR\fR, \fBQUIET\fR, \fBINFO\fR,
578 579 \fBVERBOSE\fR, \fBDEBUG\fR, \fBDEBUG1\fR, \fBDEBUG2\fR, and \fBDEBUG3\fR. The
579 580 default is \fBINFO\fR. \fBDEBUG\fR and \fBDEBUG1\fR are equivalent.
580 581 \fBDEBUG2\fR and \fBDEBUG3\fR each specify higher levels of verbose output.
581 582 .RE
582 583
583 584 .sp
584 585 .ne 2
585 586 .na
586 587 \fB\fBMACs\fR\fR
587 588 .ad
588 589 .sp .6
589 590 .RS 4n
590 591 Specifies the MAC (message authentication code) algorithms in order of
591 592 preference. The MAC algorithm is used in protocol version 2 for data integrity
592 593 protection. Multiple algorithms must be comma-separated. The default is
593 594 \fBhmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96\fR.
594 595 .RE
595 596
596 597 .sp
597 598 .ne 2
598 599 .na
599 600 \fB\fBNoHostAuthenticationForLocalhost\fR\fR
600 601 .ad
601 602 .sp .6
602 603 .RS 4n
603 604 This option can be used if the home directory is shared across machines. In
604 605 this case \fBlocalhost\fR refers to a different machine on each of the machines
605 606 and the user gets many warnings about changed host keys. However, this option
606 607 disables host authentication for \fBlocalhost\fR. The argument to this keyword
607 608 must be \fByes\fR or \fBno\fR. The default is to check the host key for
608 609 \fBlocalhost\fR.
609 610 .RE
610 611
611 612 .sp
612 613 .ne 2
613 614 .na
614 615 \fB\fBNumberOfPasswordPrompts\fR\fR
615 616 .ad
616 617 .sp .6
617 618 .RS 4n
618 619 Specifies the number of attempts before giving up for password and
619 620 keyboard-interactive methods. Attempts for each method are counted separately.
620 621 The argument to this keyword must be an integer. The default is 3.
621 622 .RE
622 623
623 624 .sp
624 625 .ne 2
625 626 .na
626 627 \fB\fBPasswordAuthentication\fR\fR
627 628 .ad
628 629 .sp .6
629 630 .RS 4n
630 631 Specifies whether to use password authentication. The argument to this keyword
631 632 must be \fByes\fR or \fBno\fR. This option applies to both protocol versions 1
632 633 and 2. The default is \fByes\fR.
633 634 .RE
634 635
635 636 .sp
636 637 .ne 2
637 638 .na
638 639 \fB\fBPort\fR\fR
639 640 .ad
640 641 .sp .6
641 642 .RS 4n
642 643 Specifies the port number to connect on the remote host. The default is 22.
643 644 .RE
644 645
645 646 .sp
646 647 .ne 2
647 648 .na
648 649 \fB\fBPreferredAuthentications\fR\fR
649 650 .ad
650 651 .sp .6
651 652 .RS 4n
652 653 Specifies the order in which the client should try protocol 2 authentication
653 654 methods. This allows a client to prefer one method (for example,
654 655 \fBkeyboard-interactive\fR) over another method (for example, \fBpassword\fR).
655 656 The default for this option is:
656 657 \fBhostbased,publickey,keyboard-interactive,password\fR.
657 658 .RE
658 659
659 660 .sp
660 661 .ne 2
661 662 .na
662 663 \fB\fBProtocol\fR\fR
663 664 .ad
664 665 .sp .6
665 666 .RS 4n
666 667 Specifies the protocol versions \fBssh\fR should support in order of
667 668 preference. The possible values are \fB1\fR and \fB2\fR. Multiple versions must
668 669 be comma-separated. The default is \fB2,1\fR. This means that \fBssh\fR tries
669 670 version 2 and falls back to version 1 if version 2 is not available.
670 671 .RE
671 672
672 673 .sp
673 674 .ne 2
674 675 .na
675 676 \fB\fBProxyCommand\fR\fR
676 677 .ad
677 678 .sp .6
678 679 .RS 4n
679 680 Specifies the command to use to connect to the server. The command string
680 681 extends to the end of the line, and is executed with \fB/bin/sh\fR. In the
681 682 command string, \fB%h\fR is substituted by the host name to connect and
682 683 \fB%p\fR by the port. The string can be any valid command, and should read from
683 684 its standard input and write to its standard output. It should eventually
684 685 connect an \fBsshd\fR(1M) server running on some machine, or execute \fBsshd\fR
685 686 \fB-i\fR somewhere. Host key management is done using the \fBHostName\fR of the
686 687 host being connected (defaulting to the name typed by the user).
687 688 \fBCheckHostIP\fR is not available for connects with a proxy command.
688 689 .RE
689 690
690 691 .sp
691 692 .ne 2
692 693 .na
693 694 \fB\fBPubkeyAuthentication\fR\fR
694 695 .ad
695 696 .sp .6
696 697 .RS 4n
697 698 Specifies whether to try public key authentication. The argument to this
698 699 keyword must be \fByes\fR or \fBno\fR. The default is \fByes\fR. This option
699 700 applies to protocol version 2 only.
700 701 .RE
701 702
702 703 .sp
703 704 .ne 2
704 705 .na
705 706 \fB\fBRekeyLimit\fR\fR
706 707 .ad
707 708 .sp .6
708 709 .RS 4n
709 710 Specifies the maximum amount of data that can be transmitted before the session
710 711 key is renegotiated. The argument is the number of bytes, with an optional
711 712 suffix of \fBK\fR, \fBM\fR, or \fBG\fR to indicate Kilobytes, Megabytes, or
712 713 Gigabytes, respectively. The default is between \fB1G\fR and \fB4G\fR,
713 714 depending on the cipher. This option applies to protocol version 2 only.
714 715 .RE
715 716
716 717 .sp
717 718 .ne 2
718 719 .na
719 720 \fB\fBRemoteForward\fR\fR
720 721 .ad
721 722 .sp .6
722 723 .RS 4n
723 724 Specifies that a TCP/IP port on the remote machine be forwarded over the secure
724 725 channel to a given \fB\fIhost\fR:\fIport\fR\fR from the local machine. The
725 726 first argument must be \fB[\fR\fIbind_address\fR\fB:]\fR\fIport\fR and the
726 727 second argument must be \fIhost\fR\fB:\fR\fIport\fR. IPv6 addresses can be
727 728 specified by enclosing addresses in square brackets or by using an alternative
728 729 syntax: \fB[\fR\fIbind_address\fR\fB/]\fR\fIport\fR and
729 730 \fIhost\fR\fB/\fR\fIport\fR. You can specify multiple forwardings and give
730 731 additional forwardings on the command line. Only a user with enough privileges
731 732 can forward privileged ports.
732 733 .sp
733 734 If the \fIbind_address\fR is not specified, the default is to only bind to
734 735 loopback addresses. If the \fIbind_address\fR is \fB*\fR or an empty string,
735 736 then the forwarding is requested to listen on all interfaces. Specifying a
736 737 remote \fIbind_address\fR only succeeds if the server's \fBGatewayPorts\fR
737 738 option is enabled. See \fBsshd_config\fR(4).
738 739 .RE
739 740
740 741 .sp
741 742 .ne 2
742 743 .na
743 744 \fB\fBRhostsAuthentication\fR\fR
744 745 .ad
745 746 .sp .6
746 747 .RS 4n
747 748 Specifies whether to try \fBrhosts\fR-based authentication. This declaration
748 749 affects only the client side and has no effect whatsoever on security.
749 750 Disabling \fBrhosts\fR authentication can reduce authentication time on slow
750 751 connections when \fBrhosts\fR authentication is not used. Most servers do not
751 752 permit \fBRhostsAuthentication\fR because it is not secure (see
752 753 \fBRhostsRSAAuthentication\fR). The argument to this keyword must be \fByes\fR
753 754 or \fBno\fR. This option applies only to the protocol version 1 and requires
754 755 that \fBssh\fR be \fBsetuid\fR root and that \fBUsePrivilegedPort\fR be set to
755 756 \fByes\fR.
756 757 .RE
757 758
758 759 .sp
759 760 .ne 2
760 761 .na
761 762 \fB\fBRhostsRSAAuthentication\fR\fR
762 763 .ad
763 764 .sp .6
764 765 .RS 4n
765 766 Specifies whether to try \fBrhosts\fR-based authentication with RSA host
766 767 authentication. This is the primary authentication method for most sites. The
767 768 argument must be \fByes\fR or \fBno\fR. This option applies only to the
768 769 protocol version 1 and requires that \fBssh\fR be \fBsetuid\fR root and that
769 770 \fBUsePrivilegedPort\fR be set to \fByes\fR.
770 771 .RE
771 772
772 773 .sp
773 774 .ne 2
774 775 .na
775 776 \fB\fBServerAliveCountMax\fR\fR
776 777 .ad
777 778 .sp .6
778 779 .RS 4n
779 780 Sets the number of server alive messages which can be sent without \fBssh\fR(1)
780 781 receiving messages back from the server. If this threshold is reached while
781 782 server alive messages are being sent, \fBssh\fR disconnects from the server,
782 783 terminating the session. The use of server alive messages differs from
783 784 \fBTCPKeepAlive\fR. Server alive messages are sent through the encrypted
784 785 channel and are not spoofable. The TCP keep alive option enabled by
785 786 \fBTCPKeepAlive\fR is spoofable. The server alive mechanism is valuable when
786 787 the client or server depend on knowing when a connection has become inactive.
787 788 .sp
788 789 The default value is 3. If, for example, \fBServerAliveInterval\fR is set to 15
789 790 and \fBServerAliveCountMax\fR is left at the default, \fBssh\fR disconnects in
790 791 45-60 seconds if the server becomes unresponsive. This option applies to
791 792 protocol version 2 only.
792 793 .RE
793 794
794 795 .sp
795 796 .ne 2
796 797 .na
797 798 \fB\fBServerAliveInterval\fR\fR
798 799 .ad
799 800 .sp .6
800 801 .RS 4n
801 802 Sets a timeout interval in seconds after which if no data has been received
802 803 from the server, \fBssh\fR(1) sends a message through the encrypted channel to
803 804 request a response from the server. The default is 0, indicating that these
804 805 messages are not sent to the server. This option applies to protocol version 2
805 806 only.
806 807 .RE
807 808
808 809 .sp
809 810 .ne 2
810 811 .na
811 812 \fB\fBStrictHostKeyChecking\fR\fR
812 813 .ad
813 814 .sp .6
814 815 .RS 4n
815 816 If this flag is set to \fByes\fR, \fBssh\fR never automatically adds host keys
816 817 to the \fB$HOME/.ssh/known_hosts\fR file, and refuses to connect hosts whose
817 818 host key has changed. This provides maximum protection against trojan horse
818 819 attacks. However, it can be a source of inconvenience if you do not have good
819 820 \fB/etc/ssh/ssh_known_hosts\fR files installed and frequently connect new
820 821 hosts. This option forces the user to manually add any new hosts. Normally this
821 822 option is disabled, and new hosts are automatically added to the known host
822 823 files. The host keys of known hosts are verified automatically in either case.
823 824 The argument must be \fByes\fR or \fBno\fR or \fBask\fR. The default is
824 825 \fBask\fR.
825 826 .RE
826 827
827 828 .sp
828 829 .ne 2
829 830 .na
830 831 \fB\fBUseOpenSSLEngine\fR\fR
831 832 .ad
832 833 .sp .6
833 834 .RS 4n
834 835 Specifies whether \fBssh\fR should use the OpenSSL PKCS#11 engine for
835 836 offloading cryptographic operations to the Cryptographic Framework.
836 837 Cryptographic operations are accelerated according to the available installed
837 838 plug-ins. When no suitable plug-ins are present this option does not have an
838 839 effect. The default is \fByes\fR.
839 840 .RE
840 841
841 842 .sp
842 843 .ne 2
843 844 .na
844 845 \fB\fBUsePrivilegedPort\fR\fR
845 846 .ad
846 847 .sp .6
847 848 .RS 4n
848 849 Specifies whether to use a privileged port for outgoing connections. The
849 850 argument must be \fByes\fR or \fBno\fR. The default is \fByes\fR. Setting this
850 851 option to \fBno\fR turns off \fBRhostsAuthentication\fR and
851 852 \fBRhostsRSAAuthentication\fR. If set to \fByes\fR \fBssh\fR must be
852 853 \fBsetuid\fR root. Defaults to \fBno\fR.
853 854 .RE
854 855
855 856 .sp
856 857 .ne 2
857 858 .na
858 859 \fB\fBUser\fR\fR
859 860 .ad
860 861 .sp .6
861 862 .RS 4n
862 863 Specifies the user to log in as. This can be useful if you have different user
863 864 names on different machines. This saves you the trouble of having to remember
864 865 to enter the user name on the command line.
865 866 .RE
866 867
867 868 .sp
868 869 .ne 2
869 870 .na
870 871 \fB\fBUserKnownHostsFile\fR\fR
871 872 .ad
872 873 .sp .6
873 874 .RS 4n
874 875 Specifies a file to use instead of \fB$HOME/.ssh/known_hosts\fR.
875 876 .RE
876 877
877 878 .sp
878 879 .ne 2
879 880 .na
880 881 \fB\fBUseRsh\fR\fR
881 882 .ad
882 883 .sp .6
883 884 .RS 4n
884 885 Specifies that \fBrlogin\fR or \fBrsh\fR should be used for this host. It is
885 886 possible that the host does not support the \fBssh\fR protocol. This causes
886 887 \fBssh\fR to immediately execute \fBrsh\fR(1). All other options (except
887 888 \fBHostName\fR) are ignored if this has been specified. The argument must be
888 889 \fByes\fR or \fBno\fR.
889 890 .RE
890 891
891 892 .sp
892 893 .ne 2
893 894 .na
894 895 \fB\fBXAuthLocation\fR\fR
895 896 .ad
896 897 .sp .6
897 898 .RS 4n
898 899 Specifies the location of the \fBxauth\fR(1) program. The default is
899 900 \fB/usr/openwin/bin/xauth\fR.
900 901 .RE
901 902
902 903 .SH SEE ALSO
903 904 .sp
904 905 .LP
905 906 \fBrsh\fR(1), \fBssh\fR(1), \fBssh-http-proxy-connect\fR(1),
906 907 \fBssh-keygen\fR(1), \fBssh-socks5-proxy-connect\fR(1), \fBsshd\fR(1M),
907 908 \fBsshd_config\fR(4), \fBkerberos\fR(5)
908 909 .sp
909 910 .LP
910 911 \fIRFC 4252\fR
|
↓ open down ↓ |
369 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX