1.\" -*- nroff -*- 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this --- 20 unchanged lines hidden (view full) --- 29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" |
37.\" $OpenBSD: ssh_config.5,v 1.38 2004/06/26 09:11:14 jmc Exp $ 38.\" $FreeBSD: head/crypto/openssh/ssh_config.5 137019 2004-10-28 16:11:31Z des $ |
39.Dd September 25, 1999 40.Dt SSH_CONFIG 5 41.Os 42.Sh NAME 43.Nm ssh_config 44.Nd OpenSSH SSH client configuration files 45.Sh SYNOPSIS 46.Bl -tag -width Ds -compact --- 134 unchanged lines hidden (view full) --- 181cipher. 182Its use is strongly discouraged due to cryptographic weaknesses. 183The default is 184.Dq 3des . 185.It Cm Ciphers 186Specifies the ciphers allowed for protocol version 2 187in order of preference. 188Multiple ciphers must be comma-separated. |
189The supported ciphers are 190.Dq 3des-cbc , 191.Dq aes128-cbc , 192.Dq aes192-cbc , 193.Dq aes256-cbc , 194.Dq aes128-ctr , 195.Dq aes192-ctr , 196.Dq aes256-ctr , 197.Dq arcfour , 198.Dq blowfish-cbc , 199and 200.Dq cast128-cbc . |
201The default is 202.Bd -literal 203 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 204 aes192-cbc,aes256-cbc'' 205.Ed 206.It Cm ClearAllForwardings 207Specifies that all local, remote and dynamic port forwardings 208specified in the configuration files or on the command line be --- 31 unchanged lines hidden (view full) --- 240The argument must be an integer. 241This may be useful in scripts if the connection sometimes fails. 242The default is 1. 243.It Cm ConnectTimeout 244Specifies the timeout (in seconds) used when connecting to the ssh 245server, instead of using the default system TCP timeout. 246This value is used only when the target is down or really unreachable, 247not when it refuses the connection. |
248.It Cm ControlMaster 249Enables the sharing of multiple sessions over a single network connection. 250When set to 251.Dq yes 252.Nm ssh 253will listen for connections on a control socket specified using the 254.Cm ControlPath 255argument. 256Additional sessions can connect to this socket using the same 257.Cm ControlPath 258with 259.Cm ControlMaster 260set to 261.Dq no 262(the default). 263These sessions will reuse the master instance's network connection rather 264than initiating new ones. 265Setting this to 266.Dq ask 267will cause 268.Nm ssh 269to listen for control connections, but require confirmation using the 270.Ev SSH_ASKPASS 271program before they are accepted (see 272.Xr ssh-add 1 273for details). 274.It Cm ControlPath 275Specify the path to the control socket used for connection sharing. 276See 277.Cm ControlMaster 278above. |
279.It Cm DynamicForward 280Specifies that a TCP/IP port on the local machine be forwarded 281over the secure channel, and the application 282protocol is then used to determine where to connect to from the 283remote machine. 284The argument must be a port number. 285Currently the SOCKS4 and SOCKS5 protocols are supported, and 286.Nm ssh --- 65 unchanged lines hidden (view full) --- 352Users with the ability to bypass file permissions on the remote host 353(for the user's X11 authorization database) 354can access the local X11 display through the forwarded connection. 355An attacker may then be able to perform activities such as keystroke monitoring 356if the 357.Cm ForwardX11Trusted 358option is also enabled. 359.It Cm ForwardX11Trusted |
360If this option is set to |
361.Dq yes 362then remote X11 clients will have full access to the original X11 display. 363If this option is set to 364.Dq no 365then remote X11 clients will be considered untrusted and prevented 366from stealing or tampering with data belonging to trusted X11 367clients. 368.Pp --- 80 unchanged lines hidden (view full) --- 449syntax to refer to a user's home directory. 450It is possible to have 451multiple identity files specified in configuration files; all these 452identities will be tried in sequence. 453.It Cm IdentitiesOnly 454Specifies that 455.Nm ssh 456should only use the authentication identity files configured in the |
457.Nm |
458files, 459even if the 460.Nm ssh-agent 461offers more identities. 462The argument to this keyword must be 463.Dq yes 464or 465.Dq no . --- 143 unchanged lines hidden (view full) --- 609or 610.Dq no . 611RSA authentication will only be 612attempted if the identity file exists, or an authentication agent is 613running. 614The default is 615.Dq yes . 616Note that this option applies to protocol version 1 only. |
617.It Cm SendEnv 618Specifies what variables from the local 619.Xr environ 7 620should be sent to the server. 621Note that environment passing is only supported for protocol 2, the 622server must also support it, and the server must be configured to 623accept these environment variables. 624Refer to 625.Cm AcceptEnv 626in 627.Xr sshd_config 5 628for how to configure the server. 629Variables are specified by name, which may contain the wildcard characters 630.Ql \&* 631and 632.Ql \&? . 633Multiple environment variables may be separated by whitespace or spread 634across multiple 635.Cm SendEnv 636directives. 637The default is not to send any environment variables. |
638.It Cm ServerAliveInterval 639Sets a timeout interval in seconds after which if no data has been received 640from the server, 641.Nm ssh 642will send a message through the encrypted 643channel to request a response from the server. 644The default 645is 0, indicating that these messages will not be sent to the server. --- 132 unchanged lines hidden (view full) --- 778.Dq ask . 779The default is 780.Dq no . 781Note that this option applies to protocol version 2 only. 782.It Cm VersionAddendum 783Specifies a string to append to the regular version string to identify 784OS- or site-specific modifications. 785The default is |
786.Dq FreeBSD-20041028 . |
787.It Cm XAuthLocation 788Specifies the full pathname of the 789.Xr xauth 1 790program. 791The default is 792.Pa /usr/X11R6/bin/xauth . 793.El 794.Sh FILES 795.Bl -tag -width Ds 796.It Pa $HOME/.ssh/config 797This is the per-user configuration file. 798The format of this file is described above. 799This file is used by the 800.Nm ssh 801client. |
802Because of the potential for abuse, this file must have strict permissions: 803read/write for the user, and not accessible by others. |
804.It Pa /etc/ssh/ssh_config 805Systemwide configuration file. 806This file provides defaults for those 807values that are not specified in the user's configuration file, and 808for those users who do not have a configuration file. 809This file must be world-readable. 810.El 811.Sh SEE ALSO 812.Xr ssh 1 813.Sh AUTHORS 814OpenSSH is a derivative of the original and free 815ssh 1.2.12 release by Tatu Ylonen. 816Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 817Theo de Raadt and Dug Song 818removed many bugs, re-added newer features and 819created OpenSSH. 820Markus Friedl contributed the support for SSH 821protocol versions 1.5 and 2.0. |