 |
Index for
Section 4 |
|
 |
Alphabetical
listing for S |
|
 |
Bottom of
page |
|
ssh2_config(4)
NAME
ssh2_config - Configuration file for the Secure Shell client
DESCRIPTION
The configuration file for the Secure Shell client reads configuration data
from the following sources, in this order:
1. the system's global configuration file (/etc/ssh2/ssh2_config)
2. the user's configuration file ($HOME/.ssh2/ssh2_config)
3. the command-line options
For each keyword, the last obtained value will be effective.
A configuration file can begin with metaconfiguration information (i.e.,
information about the configuration language).
If the configuration file starts with a line matching the following egrep
style regex
#.*VERSION[ \t\f]+[0-9]+.[0-9]+
it is interpreted as the version of the configuration style. If this line
is not found, the version is 1.0.
The version string can be followed by one or more metaconfiguration
parameters. The lines have to start with the pound (#) sign, and they have
to match the following egrep style regex:
#[# \t]+[A-Z0-9]+[ \t]+.*
Parsing of metaconfiguration directives stops with the first non-recognized
line.
Version 1.1 and later recognize the following parameter:
REGEX-SYNTAX
Denotes the regex syntax used to parse the configuration file. The
value can be egrep, ssh, zsh_fileglob or traditional. The
zsh_fileglob and traditional arguments are synonymous. The
arguments are not case-sensitive.
In the ssh2_config file, expression denotes the start of a per-host
configuration block, where expression is an arbitrary string which
distinguishes this block from others. The expression can contain
wildcards, and will be compared with the hostname obtained from the command
line. If it matches, the block will be evaluated. Evaluation stops at the
next expression statement. If more than one match is found, all will be
evaluated and the last obtained values for parameters will be effective.
The expression does not have to be a real hostname, as long as the
expression block contains a Host configuration parameter that defines the
real hostname.
Empty lines and lines starting with the pound (#) sign are ignored as
comments.
Otherwise a line is of the format keyword arguments.
It is possible to enclose arguments in quotes, and use the standard C
convention. Configuration files are case sensitive, but keywords are not
case sensitive. Illegal keywords will prevent Secure Shell clients from
starting successfully.
Following are the ssh2_config file keywords:
AllowedAuthentications
Specifies the authentication methods that the client uses. Supported
authentication methods are keyboard-interactive, password, publickey,
kerberos-2@ssh.com, kerberos-tgt-2@ssh.com, and hostbased. The default
is publickey, keyboard-interactive, password.
You can specify any or all authentication methods. Use a comma-
separated list when specifying more than one argument. The order in
which authentication methods are listed is the order in which they are
used. The least interactive methods should be placed first in this
list. The first successful authentication is the one used.
AuthenticationSuccessMsg
Specifies whether to display the Authentication successful message
after authentication has completed successfully. This is intended to
prevent malicious servers from getting information from the user by
displaying additional password or passphrase prompts. The argument must
be yes or no. The default is yes.
BatchMode
Specifies whether password or passphrase querying is disabled. This
keyword is useful in scripts and other batch jobs where you don't have
a user to supply the password. If the StrictHostKeyChecking keyword is
set to ask, the client assumes a no answer because user input is not
accepted when invoked with BatchMode yes. The argument must be yes or
no. The default is no.
Ciphers
Specifies the ciphers to use for encrypting the session. Supported
ciphers are aes, blowfish, twofish, arcfour, cast, des, and 3des.
Arguments for this keyword are any and anystd, that allow only standard
ciphers and none, and anycipher that allows any available cipher or
excludes non-encrypting cipher mode none but allows all others. The
AnyStdCipher argument is the same as the AnyCipher argument, but
includes only those ciphers mentioned in the IETF-SecSH-draft
(excluding none). The AnyStdCipher argument is the default.
ClearAllForwardings
Specifies whether to clear all defined remote and local forwarded
ports. The argument must be yes or no. The scp command always
automatically clears all forwarded ports.
Compression
Specifies whether to use compression. The argument must be yes or no.
DebugLogFile
Writes debug messages to specified file. (Remember to enable
debugging.)
DefaultDomain
Determines the system name if only the base part of the system name is
available by normal means (for example, those used by the hostname
command). The results are appended to the found system name, if the
system name returned does not contain a dot ( . ). This keyword is only
useful if set in the global configuration file.
DontReadStdin
Specifies whether to redirects input from /dev/null. The argument must
be yes or no. The default is no.
EkInitString
Specifies the initialization string for the external key provider for
accessing external keys for user authentication. See ssh-
externalkeys(4) for more information. This feature is only available
when external key support is included in the software.
EkProvider
Specifies the external key provider for accessing external keys for
user authentication. See ssh-externalkeys(4) for more information. This
feature is only available when external key support is included in the
software.
EnforceSecureRutils
Specifies whether or not to configure the suite of r* commands (rsh,
rlogin, and rcp commands and applications that use the rcmd function)
to automatically use a Secure Shell connection.
The argument must be yes or no. The default is no in the
/etc/ssh2/ssh2_config file and yes in the $HOME/.ssh2/ssh2_config file
of the root account.
For this option to work, TcpForwarding must be enabled on the remote
Secure Shell server.
EscapeChar
Sets the escape character. The escape character can also be set on the
command line. The argument should be a single character; for example,
^ followed by a letter or none to disable the escape character entirely
(making the connection transparent for binary data). The default is
escape character is the tilde (~).
ForcePTTYAllocation
Specifies whether to allocate a terminal if a command is given. The
argument must be yes or no. The default is no.
ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote system. The argument must be yes or no.
The default is yes.
ForwardX11
Specifies whether X11 connections will be automatically redirected over
the secure channel and if the DISPLAY environment variable will be set.
The argument must be yes or no. The default is yes.
GatewayPorts
Specifies whether remote hosts can connect to locally forwarded ports.
The argument must be yes or no. The default is no.
GoBackground
Specifies whether the client will go to the background after
authentication is complete and the forwardings established. This is
useful if the ssh2 client is going to ask for passwords or passphrases,
but the user wants it in the background. The argument must be yes, no,
or oneshot. With oneshot, the client behaves the same way as with the
ssh2 -f o command. The default is no.
Host
Specifies the host name to log into. With the expression format, this
can be used to specify nicknames or abbreviations for hosts. The
default is the name given on the command line. Numeric IP addresses are
also permitted (both on the command line and in HostName
specifications).
The expression format denotes the start of a per-host configuration
block, where expression is an arbitrary string that distinguishes this
block from others. The expressionformat can contain wildcards. The
expression will be compared with the host name obtained from the
command-line, and if it matches, the block will be evaluated.
Evaluation stops at the next expression: format. If more than one match
is found, the last obtained value will be effective. Note that the
expression format does not have to be a real host name, as long as the
expression block contains a host configuration parameter, where the
real host name to connect is defined.
HostCA ca-certificate
Specifies the Certificate Authority (CA) certificate (in binary or PEM
[base64] format) to be used when authenticating remote hosts. The
certificate received from the host must be issued by the specified CA
and must contain an alternate, fully qualified domain name. If the
remote host name is not fully qualified, the domain specified by the
DefaultDomain configuration option is appended to it before comparing
it to certificate alternate names. If no CA certificates are specified
in the configuration file, the protocol tries to do key exchange with
ordinary public keys. Otherwise certificates are preferred. Multiple
CAs are permitted.
HostCANoCRLs ca-certificate
Similar to HostCA, but disables Certificate Revolation List (CRL)
checking for the given ca-certificate.
IdentityFile
Specifies the name of the user's identification file.
KeepAlive
Specifies whether the keepalive messages are sent. If they are sent,
the loss of a connection or crash of a system will be noticed.
However, this means that connections will die if the route is down
temporarily. The argument must be yes or no. The default is yes (send
keepalive messages). To disable keepalive messages, set the value to no
in both the server and the client configuration files.
LdapServers ldap://server.domain-name:389
CRLs are automatically retrieved from the CRL distribution point
defined in the certificate to be checked if the point exists.
Otherwise, the comma-separated server list given by the LdapServers
keyword is used. If intermediate CA certificates are needed in
certificate validity checking, this keyword must be used or retrieving
the certificates will fail.
LocalForward
Specifies that a TCP/IP port on the local system be forwarded over the
secure channel to the given host:port on the remote system. The
argument format is port:host:hostport. See the -L option in ssh2(1) for
information on forward definitions.
MACs
Specifies the Message Authentication Code (MAC) algorithm to use for
data integrity verification. Supported MAC algorithms are hmac-sha1,
hmac-sha1-96, hmac-md5, hmac-md5-96, hmac-ripemd160, and hmac-
ripemd160-96, of which hmac-sha1, hmac-sha1-96, hmac-md5 and hmac-md5-
96 are included in all distributions.
Use a comma-separated list when specifying more than one MAC. Special
arguments to this keyword are Any, Anystd, none, AnyMac and AnyStdMac.
The Any argument allows all MACs including none; the AnyStd argument
allows only those mentioned in the IETF-SecSH draft and none; the none
argument forbids any use of MACs; the AnyMac and AnyStdMac arguments
are analogous to the first two cases but exclude none. The AnyStdMac
argument is the default.
NoDelay
Specifies whether to enable the TCP_NODELAY socket option . The
argument must be yes or no. The default is no.
NumberofPasswordPrompts
Specifies the number of password prompts permitted. The argument must
be an integer. The default value is 3. The server also limits the
number of attempts, so setting this value larger than the server's
value does not have any effect.
PasswordPrompt
Specifies the password prompt displayed when users log in. Variables %U
and %H can be used to give the user's login name and host name,
respectively.
Port
Specifies the port number on the remote host. The default is port
number 22.
QuietMode
Supresses all warnings and diagnostic messages, except fatal errors.
The argument must be yes or no. The default is no.
RandomSeedFile
Specifies the name of the user's random seed file. The default is the
/$HOME/.ssh2/random_seed file, where $HOME is the name of the user's
account.
RekeyIntervalSeconds
Specifies the number of seconds between key exchanges. The default is
3600 seconds (one hour). A value of 0 (zero) turns rekey requests off.
This does not prevent the server from requesting rekeys. Other servers
might not have rekey capabilities implemented correctly, and might not
support rekey requests. This means that they might terminate the
connection or the server might crash.
RemoteForward
Specifies that a TCP/IP port on the remote system be forwarded over the
secure channel to the specified host:port from the local system. The
argument format is port:host:hostport. See the -R option in the
ssh2(1) file for more information on forward definitions.
SetRemoteEnv
Specifies an environment variable to set in the server before executing
a shell or command. The value should be of the form VAR=val. The val
field can be empty. You can specify multiple variables by using
multiple options. Setting the variable can fail on the server end. See
SettableEnvironmentVars in sshd2_config(4).
Note
This feature is not implemented in Secure Shell versions 3.0.x and
earlier.
Ssh1AgentCompatibility
Specifies whether to forward an SSH1 agent connection. Arguments are
none, traditional, and ssh2. With the none (default) value, the SSH1
agent connection is not forwarded. With the traditional value, the
SSH1 agent connection is forwarded transparently. The traditional
value can always be used, but it constitutes a security risk, because
the agent does not get the information about the forwarding path. The
ssh2 value makes SSH1 agent forwarding similar to SSH2 agent
forwarding, and with this mode the agent gets the information about the
agent forwarding path. The ssh2 value can be used only if you use ssh-
agent2 in SSH1 compatibility mode.
Ssh1Compatibility
Specifies whether to use SSH1 compatibility codes. The argument must
be yes or no. With this option, ssh1 executes if the server supports
only SSH 1.x protocols.
Ssh1InternalEmulation
Specifies whether to use SSH1 internal emulation code. With this
option, ssh2 can communicate with ssh1 servers, without using an
external ssh1 program. The argument must be yes or no. (This option
currently is not supported.)
Ssh1MaskPasswordLength
Specifies whether to send SSH_MSG_IGNORE packets to mask the password
length. The argument must be yes or no. The default is yes.
Ssh1Path
Specifies the path to the ssh1 client, which is executed if the server
supports only SSH 1.x protocols. The arguments for ssh2 are passed to
the ssh1 client.
SocksServer
Overrides the value of the SSH_SOCKS_SERVER environment variable.
StrictHostKeyChecking
Specifies whether the client automatically adds new host keys to the
$HOME/.ssh2/hostkeys file. The argument must be yes, ask, or no. The
default is ask.
If the argument is set to yes, new host keys will never be added
automatically to the hostkeys file, and connections will be refused to
hosts whose host key has changed. This provides maximum protection
against man-in-the-middle attacks. The yes argument forces the user to
add all new hosts manually.
If the argument is set to ask, new hosts will be added automatically to
the hostkeys file after the user confirms this is the intent. If a host
key changes, you will be asked if you want to accept the new host key
as the only valid one.
If the argument is set to no, new hosts will be added automatically to
the hostkeys file without prompting the user.
The host keys of known hosts will be verified automatically.
TrustX11Applications
Specifies whether the Xserver should treat X11 client applications as
trusted (with forwarding X11). Treating X11 applications as untrusted
avoids the problem that logging into a compromised host allows
applications on that host to detect any input operations via the
forwarded X11 connection. You should only use this option if the X
client program you are running needs exceptional privileges for the
Xserver. The ssh1 internal emulation mode does not support the SECURITY
extension. The argument must be yes or no. The default is no.
User
Specifies the user name. This keyword can be useful if you have a
different user name on different systems. You do not have to specify
the user name on the command line.
UseSocks5
Use SOCKS5 instead of SOCKS4 when connecting to remote host. You have
to set SocksServer to a meaningful value. The argument must be yes or
no. The default is no (i.e., use SOCKS4).
VerboseMode
Specifies whether debugging messages are displayed. The argument must
be yes or no. The default is no.
XauthPath
Specifies where to find the xauth program. The default is set by the
configure script.
LEGAL NOTICES
SSH is a registered trademark of SSH Communication Security Ltd.
SEE ALSO
Commands: ssh2(1)
Files: ssh_certificates(4)
|
Index for
Section 4 |
|
|
Alphabetical
listing for S |
|
 |
Top of
page |
|