| 1.\" -*- nroff -*- 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this --- 20 unchanged lines hidden (view full) --- 29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" |
| 37.\" $OpenBSD: ssh_config.5,v 1.7 2003/03/28 10:11:43 jmc Exp $ 38.\" $FreeBSD: head/crypto/openssh/ssh_config.5 113911 2003-04-23 17:13:13Z des $ |
| 39.Dd September 25, 1999 40.Dt SSH_CONFIG 5 41.Os 42.Sh NAME 43.Nm ssh_config 44.Nd OpenSSH SSH client configuration files 45.Sh SYNOPSIS 46.Bl -tag -width Ds -compact --- 125 unchanged lines hidden (view full) --- 172.Dq des 173are supported. 174.Ar des 175is only supported in the 176.Nm ssh 177client for interoperability with legacy protocol 1 implementations 178that do not support the 179.Ar 3des |
| 180cipher. 181Its use is strongly discouraged due to cryptographic weaknesses. |
| 182The default is 183.Dq 3des . 184.It Cm Ciphers 185Specifies the ciphers allowed for protocol version 2 186in order of preference. 187Multiple ciphers must be comma-separated. 188The default is 189.Pp 190.Bd -literal 191 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 192 aes192-cbc,aes256-cbc'' 193.Ed 194.It Cm ClearAllForwardings 195Specifies that all local, remote and dynamic port forwardings 196specified in the configuration files or on the command line be |
| 197cleared. 198This option is primarily useful when used from the |
| 199.Nm ssh 200command line to clear port forwardings set in 201configuration files, and is automatically set by 202.Xr scp 1 203and 204.Xr sftp 1 . 205The argument must be 206.Dq yes --- 20 unchanged lines hidden (view full) --- 227Specifies the number of tries (one per second) to make before exiting. 228The argument must be an integer. 229This may be useful in scripts if the connection sometimes fails. 230The default is 1. 231.It Cm DynamicForward 232Specifies that a TCP/IP port on the local machine be forwarded 233over the secure channel, and the application 234protocol is then used to determine where to connect to from the |
| 235remote machine. 236The argument must be a port number. |
| 237Currently the SOCKS4 protocol is supported, and 238.Nm ssh 239will act as a SOCKS4 server. 240Multiple forwardings may be specified, and |
| 241additional forwardings can be given on the command line. 242Only the superuser can forward privileged ports. |
| 243.It Cm EscapeChar 244Sets the escape character (default: 245.Ql ~ ) . 246The escape character can also 247be set on the command line. 248The argument should be a single character, 249.Ql ^ 250followed by a letter, or --- 6 unchanged lines hidden (view full) --- 257will be forwarded to the remote machine. 258The argument must be 259.Dq yes 260or 261.Dq no . 262The default is 263.Dq no . 264.Pp |
| 265Agent forwarding should be enabled with caution. 266Users with the ability to bypass file permissions on the remote host 267(for the agent's Unix-domain socket) 268can access the local agent through the forwarded connection. 269An attacker cannot obtain key material from the agent, |
| 270however they can perform operations on the keys that enable them to 271authenticate using the identities loaded into the agent. 272.It Cm ForwardX11 273Specifies whether X11 connections will be automatically redirected 274over the secure channel and 275.Ev DISPLAY 276set. 277The argument must be 278.Dq yes 279or 280.Dq no . 281The default is 282.Dq no . 283.Pp |
| 284X11 forwarding should be enabled with caution. 285Users with the ability to bypass file permissions on the remote host 286(for the user's X authorization database) 287can access the local X11 display through the forwarded connection. 288An attacker may then be able to perform activities such as keystroke monitoring. |
| 289.It Cm GatewayPorts 290Specifies whether remote hosts are allowed to connect to local 291forwarded ports. 292By default, 293.Nm ssh |
| 294binds local port forwardings to the loopback address. 295This prevents other remote hosts from connecting to forwarded ports. |
| 296.Cm GatewayPorts 297can be used to specify that 298.Nm ssh 299should bind local port forwardings to the wildcard address, 300thus allowing remote hosts to connect to forwarded ports. 301The argument must be 302.Dq yes 303or --- 90 unchanged lines hidden (view full) --- 394Multiple forwardings may be specified, and additional 395forwardings can be given on the command line. 396Only the superuser can forward privileged ports. 397.It Cm LogLevel 398Gives the verbosity level that is used when logging messages from 399.Nm ssh . 400The possible values are: 401QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. |
| 402The default is INFO. 403DEBUG and DEBUG1 are equivalent. 404DEBUG2 and DEBUG3 each specify higher levels of verbose output. |
| 405.It Cm MACs 406Specifies the MAC (message authentication code) algorithms 407in order of preference. 408The MAC algorithm is used in protocol version 2 409for data integrity protection. 410Multiple algorithms must be comma-separated. 411The default is 412.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . --- 61 unchanged lines hidden (view full) --- 474It should eventually connect an 475.Xr sshd 8 476server running on some machine, or execute 477.Ic sshd -i 478somewhere. 479Host key management will be done using the 480HostName of the host being connected (defaulting to the name typed by 481the user). |
| 482Setting the command to 483.Dq none 484disables this option entirely. |
| 485Note that 486.Cm CheckHostIP 487is not available for connects with a proxy command. 488.Pp 489.It Cm PubkeyAuthentication 490Specifies whether to try public key authentication. 491The argument to this keyword must be 492.Dq yes --- 125 unchanged lines hidden (view full) --- 618.It Cm UserKnownHostsFile 619Specifies a file to use for the user 620host key database instead of 621.Pa $HOME/.ssh/known_hosts . 622.It Cm VersionAddendum 623Specifies a string to append to the regular version string to identify 624OS- or site-specific modifications. 625The default is |
| 626.Dq FreeBSD-20030423 . |
| 627.It Cm XAuthLocation 628Specifies the full pathname of the 629.Xr xauth 1 630program. 631The default is 632.Pa /usr/X11R6/bin/xauth . 633.El 634.Sh FILES --- 28 unchanged lines hidden --- |