1.\" -*- nroff -*-
2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\" All rights reserved
6.\"
7.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose. Any derived versions of this
--- 20 unchanged lines hidden (view full) ---
29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\"
37.\" $FreeBSD: head/crypto/openssh/ssh_config.5 128460 2004-04-20 09:46:41Z des $
38.\" $OpenBSD: ssh_config.5,v 1.28 2003/12/16 15:49:51 markus Exp $
39.Dd September 25, 1999
40.Dt SSH_CONFIG 5
41.Os
42.Sh NAME
43.Nm ssh_config
44.Nd OpenSSH SSH client configuration files
45.Sh SYNOPSIS
46.Bl -tag -width Ds -compact
--- 134 unchanged lines hidden (view full) ---
181cipher.
182Its use is strongly discouraged due to cryptographic weaknesses.
183The default is
184.Dq 3des .
185.It Cm Ciphers
186Specifies the ciphers allowed for protocol version 2
187in order of preference.
188Multiple ciphers must be comma-separated.
189The default is
190.Bd -literal
191 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
192 aes192-cbc,aes256-cbc''
193.Ed
194.It Cm ClearAllForwardings
195Specifies that all local, remote and dynamic port forwardings
196specified in the configuration files or on the command line be
--- 31 unchanged lines hidden (view full) ---
228The argument must be an integer.
229This may be useful in scripts if the connection sometimes fails.
230The default is 1.
231.It Cm ConnectTimeout
232Specifies the timeout (in seconds) used when connecting to the ssh
233server, instead of using the default system TCP timeout.
234This value is used only when the target is down or really unreachable,
235not when it refuses the connection.
236.It Cm DynamicForward
237Specifies that a TCP/IP port on the local machine be forwarded
238over the secure channel, and the application
239protocol is then used to determine where to connect to from the
240remote machine.
241The argument must be a port number.
242Currently the SOCKS4 and SOCKS5 protocols are supported, and
243.Nm ssh
--- 65 unchanged lines hidden (view full) ---
309Users with the ability to bypass file permissions on the remote host
310(for the user's X11 authorization database)
311can access the local X11 display through the forwarded connection.
312An attacker may then be able to perform activities such as keystroke monitoring
313if the
314.Cm ForwardX11Trusted
315option is also enabled.
316.It Cm ForwardX11Trusted
317If the this option is set to
318.Dq yes
319then remote X11 clients will have full access to the original X11 display.
320If this option is set to
321.Dq no
322then remote X11 clients will be considered untrusted and prevented
323from stealing or tampering with data belonging to trusted X11
324clients.
325.Pp
--- 80 unchanged lines hidden (view full) ---
406syntax to refer to a user's home directory.
407It is possible to have
408multiple identity files specified in configuration files; all these
409identities will be tried in sequence.
410.It Cm IdentitiesOnly
411Specifies that
412.Nm ssh
413should only use the authentication identity files configured in the
414.Nm
415files,
416even if the
417.Nm ssh-agent
418offers more identities.
419The argument to this keyword must be
420.Dq yes
421or
422.Dq no .
--- 143 unchanged lines hidden (view full) ---
566or
567.Dq no .
568RSA authentication will only be
569attempted if the identity file exists, or an authentication agent is
570running.
571The default is
572.Dq yes .
573Note that this option applies to protocol version 1 only.
574.It Cm ServerAliveInterval
575Sets a timeout interval in seconds after which if no data has been received
576from the server,
577.Nm ssh
578will send a message through the encrypted
579channel to request a response from the server.
580The default
581is 0, indicating that these messages will not be sent to the server.
--- 132 unchanged lines hidden (view full) ---
714.Dq ask .
715The default is
716.Dq no .
717Note that this option applies to protocol version 2 only.
718.It Cm VersionAddendum
719Specifies a string to append to the regular version string to identify
720OS- or site-specific modifications.
721The default is
722.Dq FreeBSD-20040419 .
723.It Cm XAuthLocation
724Specifies the full pathname of the
725.Xr xauth 1
726program.
727The default is
728.Pa /usr/X11R6/bin/xauth .
729.El
730.Sh FILES
731.Bl -tag -width Ds
732.It Pa $HOME/.ssh/config
733This is the per-user configuration file.
734The format of this file is described above.
735This file is used by the
736.Nm ssh
737client.
738This file does not usually contain any sensitive information,
739but the recommended permissions are read/write for the user, and not
740accessible by others.
741.It Pa /etc/ssh/ssh_config
742Systemwide configuration file.
743This file provides defaults for those
744values that are not specified in the user's configuration file, and
745for those users who do not have a configuration file.
746This file must be world-readable.
747.El
748.Sh SEE ALSO
749.Xr ssh 1
750.Sh AUTHORS
751OpenSSH is a derivative of the original and free
752ssh 1.2.12 release by Tatu Ylonen.
753Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
754Theo de Raadt and Dug Song
755removed many bugs, re-added newer features and
756created OpenSSH.
757Markus Friedl contributed the support for SSH
758protocol versions 1.5 and 2.0.
2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\" All rights reserved
6.\"
7.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose. Any derived versions of this
--- 20 unchanged lines hidden (view full) ---
29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\"
37.\" $FreeBSD: head/crypto/openssh/ssh_config.5 128460 2004-04-20 09:46:41Z des $
38.\" $OpenBSD: ssh_config.5,v 1.28 2003/12/16 15:49:51 markus Exp $
39.Dd September 25, 1999
40.Dt SSH_CONFIG 5
41.Os
42.Sh NAME
43.Nm ssh_config
44.Nd OpenSSH SSH client configuration files
45.Sh SYNOPSIS
46.Bl -tag -width Ds -compact
--- 134 unchanged lines hidden (view full) ---
181cipher.
182Its use is strongly discouraged due to cryptographic weaknesses.
183The default is
184.Dq 3des .
185.It Cm Ciphers
186Specifies the ciphers allowed for protocol version 2
187in order of preference.
188Multiple ciphers must be comma-separated.
189The default is
190.Bd -literal
191 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
192 aes192-cbc,aes256-cbc''
193.Ed
194.It Cm ClearAllForwardings
195Specifies that all local, remote and dynamic port forwardings
196specified in the configuration files or on the command line be
--- 31 unchanged lines hidden (view full) ---
228The argument must be an integer.
229This may be useful in scripts if the connection sometimes fails.
230The default is 1.
231.It Cm ConnectTimeout
232Specifies the timeout (in seconds) used when connecting to the ssh
233server, instead of using the default system TCP timeout.
234This value is used only when the target is down or really unreachable,
235not when it refuses the connection.
236.It Cm DynamicForward
237Specifies that a TCP/IP port on the local machine be forwarded
238over the secure channel, and the application
239protocol is then used to determine where to connect to from the
240remote machine.
241The argument must be a port number.
242Currently the SOCKS4 and SOCKS5 protocols are supported, and
243.Nm ssh
--- 65 unchanged lines hidden (view full) ---
309Users with the ability to bypass file permissions on the remote host
310(for the user's X11 authorization database)
311can access the local X11 display through the forwarded connection.
312An attacker may then be able to perform activities such as keystroke monitoring
313if the
314.Cm ForwardX11Trusted
315option is also enabled.
316.It Cm ForwardX11Trusted
317If the this option is set to
318.Dq yes
319then remote X11 clients will have full access to the original X11 display.
320If this option is set to
321.Dq no
322then remote X11 clients will be considered untrusted and prevented
323from stealing or tampering with data belonging to trusted X11
324clients.
325.Pp
--- 80 unchanged lines hidden (view full) ---
406syntax to refer to a user's home directory.
407It is possible to have
408multiple identity files specified in configuration files; all these
409identities will be tried in sequence.
410.It Cm IdentitiesOnly
411Specifies that
412.Nm ssh
413should only use the authentication identity files configured in the
414.Nm
415files,
416even if the
417.Nm ssh-agent
418offers more identities.
419The argument to this keyword must be
420.Dq yes
421or
422.Dq no .
--- 143 unchanged lines hidden (view full) ---
566or
567.Dq no .
568RSA authentication will only be
569attempted if the identity file exists, or an authentication agent is
570running.
571The default is
572.Dq yes .
573Note that this option applies to protocol version 1 only.
574.It Cm ServerAliveInterval
575Sets a timeout interval in seconds after which if no data has been received
576from the server,
577.Nm ssh
578will send a message through the encrypted
579channel to request a response from the server.
580The default
581is 0, indicating that these messages will not be sent to the server.
--- 132 unchanged lines hidden (view full) ---
714.Dq ask .
715The default is
716.Dq no .
717Note that this option applies to protocol version 2 only.
718.It Cm VersionAddendum
719Specifies a string to append to the regular version string to identify
720OS- or site-specific modifications.
721The default is
722.Dq FreeBSD-20040419 .
723.It Cm XAuthLocation
724Specifies the full pathname of the
725.Xr xauth 1
726program.
727The default is
728.Pa /usr/X11R6/bin/xauth .
729.El
730.Sh FILES
731.Bl -tag -width Ds
732.It Pa $HOME/.ssh/config
733This is the per-user configuration file.
734The format of this file is described above.
735This file is used by the
736.Nm ssh
737client.
738This file does not usually contain any sensitive information,
739but the recommended permissions are read/write for the user, and not
740accessible by others.
741.It Pa /etc/ssh/ssh_config
742Systemwide configuration file.
743This file provides defaults for those
744values that are not specified in the user's configuration file, and
745for those users who do not have a configuration file.
746This file must be world-readable.
747.El
748.Sh SEE ALSO
749.Xr ssh 1
750.Sh AUTHORS
751OpenSSH is a derivative of the original and free
752ssh 1.2.12 release by Tatu Ylonen.
753Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
754Theo de Raadt and Dug Song
755removed many bugs, re-added newer features and
756created OpenSSH.
757Markus Friedl contributed the support for SSH
758protocol versions 1.5 and 2.0.