ssh_config.5 (128460) | ssh_config.5 (137019) |
---|---|
1.\" -*- nroff -*- 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this --- 20 unchanged lines hidden (view full) --- 29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" | 1.\" -*- nroff -*- 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this --- 20 unchanged lines hidden (view full) --- 29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" |
37.\" $FreeBSD: head/crypto/openssh/ssh_config.5 128460 2004-04-20 09:46:41Z des $ 38.\" $OpenBSD: ssh_config.5,v 1.28 2003/12/16 15:49:51 markus Exp $ | 37.\" $OpenBSD: ssh_config.5,v 1.38 2004/06/26 09:11:14 jmc Exp $ 38.\" $FreeBSD: head/crypto/openssh/ssh_config.5 137019 2004-10-28 16:11:31Z des $ |
39.Dd September 25, 1999 40.Dt SSH_CONFIG 5 41.Os 42.Sh NAME 43.Nm ssh_config 44.Nd OpenSSH SSH client configuration files 45.Sh SYNOPSIS 46.Bl -tag -width Ds -compact --- 134 unchanged lines hidden (view full) --- 181cipher. 182Its use is strongly discouraged due to cryptographic weaknesses. 183The default is 184.Dq 3des . 185.It Cm Ciphers 186Specifies the ciphers allowed for protocol version 2 187in order of preference. 188Multiple ciphers must be comma-separated. | 39.Dd September 25, 1999 40.Dt SSH_CONFIG 5 41.Os 42.Sh NAME 43.Nm ssh_config 44.Nd OpenSSH SSH client configuration files 45.Sh SYNOPSIS 46.Bl -tag -width Ds -compact --- 134 unchanged lines hidden (view full) --- 181cipher. 182Its use is strongly discouraged due to cryptographic weaknesses. 183The default is 184.Dq 3des . 185.It Cm Ciphers 186Specifies the ciphers allowed for protocol version 2 187in order of preference. 188Multiple ciphers must be comma-separated. |
189The supported ciphers are 190.Dq 3des-cbc , 191.Dq aes128-cbc , 192.Dq aes192-cbc , 193.Dq aes256-cbc , 194.Dq aes128-ctr , 195.Dq aes192-ctr , 196.Dq aes256-ctr , 197.Dq arcfour , 198.Dq blowfish-cbc , 199and 200.Dq cast128-cbc . |
|
189The default is 190.Bd -literal 191 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 192 aes192-cbc,aes256-cbc'' 193.Ed 194.It Cm ClearAllForwardings 195Specifies that all local, remote and dynamic port forwardings 196specified in the configuration files or on the command line be --- 31 unchanged lines hidden (view full) --- 228The argument must be an integer. 229This may be useful in scripts if the connection sometimes fails. 230The default is 1. 231.It Cm ConnectTimeout 232Specifies the timeout (in seconds) used when connecting to the ssh 233server, instead of using the default system TCP timeout. 234This value is used only when the target is down or really unreachable, 235not when it refuses the connection. | 201The default is 202.Bd -literal 203 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 204 aes192-cbc,aes256-cbc'' 205.Ed 206.It Cm ClearAllForwardings 207Specifies that all local, remote and dynamic port forwardings 208specified in the configuration files or on the command line be --- 31 unchanged lines hidden (view full) --- 240The argument must be an integer. 241This may be useful in scripts if the connection sometimes fails. 242The default is 1. 243.It Cm ConnectTimeout 244Specifies the timeout (in seconds) used when connecting to the ssh 245server, instead of using the default system TCP timeout. 246This value is used only when the target is down or really unreachable, 247not when it refuses the connection. |
248.It Cm ControlMaster 249Enables the sharing of multiple sessions over a single network connection. 250When set to 251.Dq yes 252.Nm ssh 253will listen for connections on a control socket specified using the 254.Cm ControlPath 255argument. 256Additional sessions can connect to this socket using the same 257.Cm ControlPath 258with 259.Cm ControlMaster 260set to 261.Dq no 262(the default). 263These sessions will reuse the master instance's network connection rather 264than initiating new ones. 265Setting this to 266.Dq ask 267will cause 268.Nm ssh 269to listen for control connections, but require confirmation using the 270.Ev SSH_ASKPASS 271program before they are accepted (see 272.Xr ssh-add 1 273for details). 274.It Cm ControlPath 275Specify the path to the control socket used for connection sharing. 276See 277.Cm ControlMaster 278above. |
|
236.It Cm DynamicForward 237Specifies that a TCP/IP port on the local machine be forwarded 238over the secure channel, and the application 239protocol is then used to determine where to connect to from the 240remote machine. 241The argument must be a port number. 242Currently the SOCKS4 and SOCKS5 protocols are supported, and 243.Nm ssh --- 65 unchanged lines hidden (view full) --- 309Users with the ability to bypass file permissions on the remote host 310(for the user's X11 authorization database) 311can access the local X11 display through the forwarded connection. 312An attacker may then be able to perform activities such as keystroke monitoring 313if the 314.Cm ForwardX11Trusted 315option is also enabled. 316.It Cm ForwardX11Trusted | 279.It Cm DynamicForward 280Specifies that a TCP/IP port on the local machine be forwarded 281over the secure channel, and the application 282protocol is then used to determine where to connect to from the 283remote machine. 284The argument must be a port number. 285Currently the SOCKS4 and SOCKS5 protocols are supported, and 286.Nm ssh --- 65 unchanged lines hidden (view full) --- 352Users with the ability to bypass file permissions on the remote host 353(for the user's X11 authorization database) 354can access the local X11 display through the forwarded connection. 355An attacker may then be able to perform activities such as keystroke monitoring 356if the 357.Cm ForwardX11Trusted 358option is also enabled. 359.It Cm ForwardX11Trusted |
317If the this option is set to | 360If this option is set to |
318.Dq yes 319then remote X11 clients will have full access to the original X11 display. 320If this option is set to 321.Dq no 322then remote X11 clients will be considered untrusted and prevented 323from stealing or tampering with data belonging to trusted X11 324clients. 325.Pp --- 80 unchanged lines hidden (view full) --- 406syntax to refer to a user's home directory. 407It is possible to have 408multiple identity files specified in configuration files; all these 409identities will be tried in sequence. 410.It Cm IdentitiesOnly 411Specifies that 412.Nm ssh 413should only use the authentication identity files configured in the | 361.Dq yes 362then remote X11 clients will have full access to the original X11 display. 363If this option is set to 364.Dq no 365then remote X11 clients will be considered untrusted and prevented 366from stealing or tampering with data belonging to trusted X11 367clients. 368.Pp --- 80 unchanged lines hidden (view full) --- 449syntax to refer to a user's home directory. 450It is possible to have 451multiple identity files specified in configuration files; all these 452identities will be tried in sequence. 453.It Cm IdentitiesOnly 454Specifies that 455.Nm ssh 456should only use the authentication identity files configured in the |
414.Nm | 457.Nm |
415files, 416even if the 417.Nm ssh-agent 418offers more identities. 419The argument to this keyword must be 420.Dq yes 421or 422.Dq no . --- 143 unchanged lines hidden (view full) --- 566or 567.Dq no . 568RSA authentication will only be 569attempted if the identity file exists, or an authentication agent is 570running. 571The default is 572.Dq yes . 573Note that this option applies to protocol version 1 only. | 458files, 459even if the 460.Nm ssh-agent 461offers more identities. 462The argument to this keyword must be 463.Dq yes 464or 465.Dq no . --- 143 unchanged lines hidden (view full) --- 609or 610.Dq no . 611RSA authentication will only be 612attempted if the identity file exists, or an authentication agent is 613running. 614The default is 615.Dq yes . 616Note that this option applies to protocol version 1 only. |
617.It Cm SendEnv 618Specifies what variables from the local 619.Xr environ 7 620should be sent to the server. 621Note that environment passing is only supported for protocol 2, the 622server must also support it, and the server must be configured to 623accept these environment variables. 624Refer to 625.Cm AcceptEnv 626in 627.Xr sshd_config 5 628for how to configure the server. 629Variables are specified by name, which may contain the wildcard characters 630.Ql \&* 631and 632.Ql \&? . 633Multiple environment variables may be separated by whitespace or spread 634across multiple 635.Cm SendEnv 636directives. 637The default is not to send any environment variables. |
|
574.It Cm ServerAliveInterval 575Sets a timeout interval in seconds after which if no data has been received 576from the server, 577.Nm ssh 578will send a message through the encrypted 579channel to request a response from the server. 580The default 581is 0, indicating that these messages will not be sent to the server. --- 132 unchanged lines hidden (view full) --- 714.Dq ask . 715The default is 716.Dq no . 717Note that this option applies to protocol version 2 only. 718.It Cm VersionAddendum 719Specifies a string to append to the regular version string to identify 720OS- or site-specific modifications. 721The default is | 638.It Cm ServerAliveInterval 639Sets a timeout interval in seconds after which if no data has been received 640from the server, 641.Nm ssh 642will send a message through the encrypted 643channel to request a response from the server. 644The default 645is 0, indicating that these messages will not be sent to the server. --- 132 unchanged lines hidden (view full) --- 778.Dq ask . 779The default is 780.Dq no . 781Note that this option applies to protocol version 2 only. 782.It Cm VersionAddendum 783Specifies a string to append to the regular version string to identify 784OS- or site-specific modifications. 785The default is |
722.Dq FreeBSD-20040419 . | 786.Dq FreeBSD-20041028 . |
723.It Cm XAuthLocation 724Specifies the full pathname of the 725.Xr xauth 1 726program. 727The default is 728.Pa /usr/X11R6/bin/xauth . 729.El 730.Sh FILES 731.Bl -tag -width Ds 732.It Pa $HOME/.ssh/config 733This is the per-user configuration file. 734The format of this file is described above. 735This file is used by the 736.Nm ssh 737client. | 787.It Cm XAuthLocation 788Specifies the full pathname of the 789.Xr xauth 1 790program. 791The default is 792.Pa /usr/X11R6/bin/xauth . 793.El 794.Sh FILES 795.Bl -tag -width Ds 796.It Pa $HOME/.ssh/config 797This is the per-user configuration file. 798The format of this file is described above. 799This file is used by the 800.Nm ssh 801client. |
738This file does not usually contain any sensitive information, 739but the recommended permissions are read/write for the user, and not 740accessible by others. | 802Because of the potential for abuse, this file must have strict permissions: 803read/write for the user, and not accessible by others. |
741.It Pa /etc/ssh/ssh_config 742Systemwide configuration file. 743This file provides defaults for those 744values that are not specified in the user's configuration file, and 745for those users who do not have a configuration file. 746This file must be world-readable. 747.El 748.Sh SEE ALSO 749.Xr ssh 1 750.Sh AUTHORS 751OpenSSH is a derivative of the original and free 752ssh 1.2.12 release by Tatu Ylonen. 753Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 754Theo de Raadt and Dug Song 755removed many bugs, re-added newer features and 756created OpenSSH. 757Markus Friedl contributed the support for SSH 758protocol versions 1.5 and 2.0. | 804.It Pa /etc/ssh/ssh_config 805Systemwide configuration file. 806This file provides defaults for those 807values that are not specified in the user's configuration file, and 808for those users who do not have a configuration file. 809This file must be world-readable. 810.El 811.Sh SEE ALSO 812.Xr ssh 1 813.Sh AUTHORS 814OpenSSH is a derivative of the original and free 815ssh 1.2.12 release by Tatu Ylonen. 816Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 817Theo de Raadt and Dug Song 818removed many bugs, re-added newer features and 819created OpenSSH. 820Markus Friedl contributed the support for SSH 821protocol versions 1.5 and 2.0. |