Annotation of src/usr.bin/ssh/ssh_config.5, Revision 1.13
1.1 stevesk 1: .\" -*- nroff -*-
2: .\"
3: .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4: .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: .\" All rights reserved
6: .\"
7: .\" As far as I am concerned, the code I have written for this software
8: .\" can be used freely for any purpose. Any derived versions of this
9: .\" software must be clearly marked as such, and if the derived work is
10: .\" incompatible with the protocol description in the RFC file, it must be
11: .\" called by a name other than "ssh" or "Secure Shell".
12: .\"
13: .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
14: .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
15: .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
16: .\"
17: .\" Redistribution and use in source and binary forms, with or without
18: .\" modification, are permitted provided that the following conditions
19: .\" are met:
20: .\" 1. Redistributions of source code must retain the above copyright
21: .\" notice, this list of conditions and the following disclaimer.
22: .\" 2. Redistributions in binary form must reproduce the above copyright
23: .\" notice, this list of conditions and the following disclaimer in the
24: .\" documentation and/or other materials provided with the distribution.
25: .\"
26: .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27: .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28: .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29: .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30: .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31: .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32: .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33: .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34: .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35: .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36: .\"
1.13 ! jmc 37: .\" $OpenBSD: ssh_config.5,v 1.12 2003/06/02 08:31:10 jakob Exp $
1.1 stevesk 38: .Dd September 25, 1999
39: .Dt SSH_CONFIG 5
40: .Os
41: .Sh NAME
42: .Nm ssh_config
43: .Nd OpenSSH SSH client configuration files
44: .Sh SYNOPSIS
45: .Bl -tag -width Ds -compact
46: .It Pa $HOME/.ssh/config
47: .It Pa /etc/ssh/ssh_config
48: .El
49: .Sh DESCRIPTION
50: .Nm ssh
51: obtains configuration data from the following sources in
52: the following order:
1.2 stevesk 53: .Bl -enum -offset indent -compact
54: .It
55: command-line options
56: .It
57: user's configuration file
58: .Pq Pa $HOME/.ssh/config
59: .It
60: system-wide configuration file
61: .Pq Pa /etc/ssh/ssh_config
62: .El
1.1 stevesk 63: .Pp
64: For each parameter, the first obtained value
65: will be used.
66: The configuration files contain sections bracketed by
67: .Dq Host
68: specifications, and that section is only applied for hosts that
69: match one of the patterns given in the specification.
70: The matched host name is the one given on the command line.
71: .Pp
72: Since the first obtained value for each parameter is used, more
73: host-specific declarations should be given near the beginning of the
74: file, and general defaults at the end.
75: .Pp
76: The configuration file has the following format:
77: .Pp
78: Empty lines and lines starting with
79: .Ql #
80: are comments.
81: .Pp
82: Otherwise a line is of the format
83: .Dq keyword arguments .
84: Configuration options may be separated by whitespace or
85: optional whitespace and exactly one
86: .Ql = ;
87: the latter format is useful to avoid the need to quote whitespace
88: when specifying configuration options using the
89: .Nm ssh ,
90: .Nm scp
91: and
92: .Nm sftp
93: .Fl o
94: option.
95: .Pp
96: The possible
97: keywords and their meanings are as follows (note that
98: keywords are case-insensitive and arguments are case-sensitive):
99: .Bl -tag -width Ds
100: .It Cm Host
101: Restricts the following declarations (up to the next
102: .Cm Host
103: keyword) to be only for those hosts that match one of the patterns
104: given after the keyword.
105: .Ql \&*
106: and
107: .Ql ?
108: can be used as wildcards in the
109: patterns.
110: A single
111: .Ql \&*
112: as a pattern can be used to provide global
113: defaults for all hosts.
114: The host is the
115: .Ar hostname
116: argument given on the command line (i.e., the name is not converted to
117: a canonicalized host name before matching).
1.10 djm 118: .It Cm AddressFamily
1.11 jmc 119: Specifies which address family to use when connecting.
120: Valid arguments are
1.10 djm 121: .Dq any ,
122: .Dq inet
123: (Use IPv4 only) or
124: .Dq inet6
125: (Use IPv6 only.)
1.1 stevesk 126: .It Cm AFSTokenPassing
127: Specifies whether to pass AFS tokens to remote host.
128: The argument to this keyword must be
129: .Dq yes
130: or
131: .Dq no .
132: This option applies to protocol version 1 only.
133: .It Cm BatchMode
134: If set to
135: .Dq yes ,
136: passphrase/password querying will be disabled.
137: This option is useful in scripts and other batch jobs where no user
138: is present to supply the password.
139: The argument must be
140: .Dq yes
141: or
142: .Dq no .
143: The default is
144: .Dq no .
145: .It Cm BindAddress
146: Specify the interface to transmit from on machines with multiple
147: interfaces or aliased addresses.
148: Note that this option does not work if
149: .Cm UsePrivilegedPort
150: is set to
151: .Dq yes .
152: .It Cm ChallengeResponseAuthentication
153: Specifies whether to use challenge response authentication.
154: The argument to this keyword must be
155: .Dq yes
156: or
157: .Dq no .
158: The default is
159: .Dq yes .
160: .It Cm CheckHostIP
161: If this flag is set to
162: .Dq yes ,
163: ssh will additionally check the host IP address in the
164: .Pa known_hosts
165: file.
166: This allows ssh to detect if a host key changed due to DNS spoofing.
167: If the option is set to
168: .Dq no ,
169: the check will not be executed.
170: The default is
171: .Dq yes .
172: .It Cm Cipher
173: Specifies the cipher to use for encrypting the session
174: in protocol version 1.
175: Currently,
176: .Dq blowfish ,
177: .Dq 3des ,
178: and
179: .Dq des
180: are supported.
181: .Ar des
182: is only supported in the
183: .Nm ssh
184: client for interoperability with legacy protocol 1 implementations
185: that do not support the
186: .Ar 3des
1.7 jmc 187: cipher.
188: Its use is strongly discouraged due to cryptographic weaknesses.
1.1 stevesk 189: The default is
190: .Dq 3des .
191: .It Cm Ciphers
192: Specifies the ciphers allowed for protocol version 2
193: in order of preference.
194: Multiple ciphers must be comma-separated.
195: The default is
196: .Pp
197: .Bd -literal
198: ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
199: aes192-cbc,aes256-cbc''
200: .Ed
201: .It Cm ClearAllForwardings
202: Specifies that all local, remote and dynamic port forwardings
203: specified in the configuration files or on the command line be
1.7 jmc 204: cleared.
205: This option is primarily useful when used from the
1.1 stevesk 206: .Nm ssh
207: command line to clear port forwardings set in
208: configuration files, and is automatically set by
209: .Xr scp 1
210: and
211: .Xr sftp 1 .
212: The argument must be
213: .Dq yes
214: or
215: .Dq no .
216: The default is
217: .Dq no .
218: .It Cm Compression
219: Specifies whether to use compression.
220: The argument must be
221: .Dq yes
222: or
223: .Dq no .
224: The default is
225: .Dq no .
226: .It Cm CompressionLevel
227: Specifies the compression level to use if compression is enabled.
228: The argument must be an integer from 1 (fast) to 9 (slow, best).
229: The default level is 6, which is good for most applications.
230: The meaning of the values is the same as in
231: .Xr gzip 1 .
232: Note that this option applies to protocol version 1 only.
233: .It Cm ConnectionAttempts
234: Specifies the number of tries (one per second) to make before exiting.
235: The argument must be an integer.
236: This may be useful in scripts if the connection sometimes fails.
237: The default is 1.
1.9 djm 238: .It Cm ConnectTimeout
239: Specifies the timeout (in seconds) used when connecting to the ssh
1.11 jmc 240: server, instead of using the default system TCP timeout.
241: This value is used only when the target is down or really unreachable,
242: not when it refuses the connection.
1.1 stevesk 243: .It Cm DynamicForward
244: Specifies that a TCP/IP port on the local machine be forwarded
245: over the secure channel, and the application
246: protocol is then used to determine where to connect to from the
1.7 jmc 247: remote machine.
248: The argument must be a port number.
1.1 stevesk 249: Currently the SOCKS4 protocol is supported, and
250: .Nm ssh
251: will act as a SOCKS4 server.
252: Multiple forwardings may be specified, and
1.7 jmc 253: additional forwardings can be given on the command line.
254: Only the superuser can forward privileged ports.
1.1 stevesk 255: .It Cm EscapeChar
256: Sets the escape character (default:
257: .Ql ~ ) .
258: The escape character can also
259: be set on the command line.
260: The argument should be a single character,
261: .Ql ^
262: followed by a letter, or
263: .Dq none
264: to disable the escape
265: character entirely (making the connection transparent for binary
266: data).
267: .It Cm ForwardAgent
268: Specifies whether the connection to the authentication agent (if any)
269: will be forwarded to the remote machine.
270: The argument must be
271: .Dq yes
272: or
273: .Dq no .
274: The default is
275: .Dq no .
1.3 stevesk 276: .Pp
1.7 jmc 277: Agent forwarding should be enabled with caution.
278: Users with the ability to bypass file permissions on the remote host
279: (for the agent's Unix-domain socket)
280: can access the local agent through the forwarded connection.
281: An attacker cannot obtain key material from the agent,
1.3 stevesk 282: however they can perform operations on the keys that enable them to
283: authenticate using the identities loaded into the agent.
1.1 stevesk 284: .It Cm ForwardX11
285: Specifies whether X11 connections will be automatically redirected
286: over the secure channel and
287: .Ev DISPLAY
288: set.
289: The argument must be
290: .Dq yes
291: or
292: .Dq no .
293: The default is
294: .Dq no .
1.3 stevesk 295: .Pp
1.7 jmc 296: X11 forwarding should be enabled with caution.
297: Users with the ability to bypass file permissions on the remote host
298: (for the user's X authorization database)
299: can access the local X11 display through the forwarded connection.
300: An attacker may then be able to perform activities such as keystroke monitoring.
1.1 stevesk 301: .It Cm GatewayPorts
302: Specifies whether remote hosts are allowed to connect to local
303: forwarded ports.
304: By default,
305: .Nm ssh
1.7 jmc 306: binds local port forwardings to the loopback address.
307: This prevents other remote hosts from connecting to forwarded ports.
1.1 stevesk 308: .Cm GatewayPorts
309: can be used to specify that
310: .Nm ssh
311: should bind local port forwardings to the wildcard address,
312: thus allowing remote hosts to connect to forwarded ports.
313: The argument must be
314: .Dq yes
315: or
316: .Dq no .
317: The default is
318: .Dq no .
319: .It Cm GlobalKnownHostsFile
320: Specifies a file to use for the global
321: host key database instead of
322: .Pa /etc/ssh/ssh_known_hosts .
323: .It Cm HostbasedAuthentication
324: Specifies whether to try rhosts based authentication with public key
325: authentication.
326: The argument must be
327: .Dq yes
328: or
329: .Dq no .
330: The default is
331: .Dq no .
332: This option applies to protocol version 2 only and
333: is similar to
334: .Cm RhostsRSAAuthentication .
335: .It Cm HostKeyAlgorithms
336: Specifies the protocol version 2 host key algorithms
337: that the client wants to use in order of preference.
338: The default for this option is:
339: .Dq ssh-rsa,ssh-dss .
340: .It Cm HostKeyAlias
341: Specifies an alias that should be used instead of the
342: real host name when looking up or saving the host key
343: in the host key database files.
344: This option is useful for tunneling ssh connections
345: or for multiple servers running on a single host.
346: .It Cm HostName
347: Specifies the real host name to log into.
348: This can be used to specify nicknames or abbreviations for hosts.
349: Default is the name given on the command line.
350: Numeric IP addresses are also permitted (both on the command line and in
351: .Cm HostName
352: specifications).
353: .It Cm IdentityFile
354: Specifies a file from which the user's RSA or DSA authentication identity
1.11 jmc 355: is read.
356: The default is
1.1 stevesk 357: .Pa $HOME/.ssh/identity
358: for protocol version 1, and
359: .Pa $HOME/.ssh/id_rsa
360: and
361: .Pa $HOME/.ssh/id_dsa
362: for protocol version 2.
363: Additionally, any identities represented by the authentication agent
364: will be used for authentication.
365: The file name may use the tilde
366: syntax to refer to a user's home directory.
367: It is possible to have
368: multiple identity files specified in configuration files; all these
369: identities will be tried in sequence.
370: .It Cm KeepAlive
371: Specifies whether the system should send TCP keepalive messages to the
372: other side.
373: If they are sent, death of the connection or crash of one
374: of the machines will be properly noticed.
375: However, this means that
376: connections will die if the route is down temporarily, and some people
377: find it annoying.
378: .Pp
379: The default is
380: .Dq yes
381: (to send keepalives), and the client will notice
382: if the network goes down or the remote host dies.
383: This is important in scripts, and many users want it too.
384: .Pp
385: To disable keepalives, the value should be set to
386: .Dq no .
387: .It Cm KerberosAuthentication
388: Specifies whether Kerberos authentication will be used.
389: The argument to this keyword must be
390: .Dq yes
391: or
392: .Dq no .
393: .It Cm KerberosTgtPassing
394: Specifies whether a Kerberos TGT will be forwarded to the server.
395: This will only work if the Kerberos server is actually an AFS kaserver.
396: The argument to this keyword must be
397: .Dq yes
398: or
399: .Dq no .
400: .It Cm LocalForward
401: Specifies that a TCP/IP port on the local machine be forwarded over
402: the secure channel to the specified host and port from the remote machine.
403: The first argument must be a port number, and the second must be
404: .Ar host:port .
405: IPv6 addresses can be specified with an alternative syntax:
406: .Ar host/port .
407: Multiple forwardings may be specified, and additional
408: forwardings can be given on the command line.
409: Only the superuser can forward privileged ports.
410: .It Cm LogLevel
411: Gives the verbosity level that is used when logging messages from
412: .Nm ssh .
413: The possible values are:
414: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
1.7 jmc 415: The default is INFO.
416: DEBUG and DEBUG1 are equivalent.
417: DEBUG2 and DEBUG3 each specify higher levels of verbose output.
1.1 stevesk 418: .It Cm MACs
419: Specifies the MAC (message authentication code) algorithms
420: in order of preference.
421: The MAC algorithm is used in protocol version 2
422: for data integrity protection.
423: Multiple algorithms must be comma-separated.
424: The default is
425: .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
426: .It Cm NoHostAuthenticationForLocalhost
427: This option can be used if the home directory is shared across machines.
428: In this case localhost will refer to a different machine on each of
429: the machines and the user will get many warnings about changed host keys.
430: However, this option disables host authentication for localhost.
431: The argument to this keyword must be
432: .Dq yes
433: or
434: .Dq no .
435: The default is to check the host key for localhost.
436: .It Cm NumberOfPasswordPrompts
437: Specifies the number of password prompts before giving up.
438: The argument to this keyword must be an integer.
439: Default is 3.
440: .It Cm PasswordAuthentication
441: Specifies whether to use password authentication.
442: The argument to this keyword must be
443: .Dq yes
444: or
445: .Dq no .
446: The default is
447: .Dq yes .
448: .It Cm Port
449: Specifies the port number to connect on the remote host.
450: Default is 22.
451: .It Cm PreferredAuthentications
452: Specifies the order in which the client should try protocol 2
1.11 jmc 453: authentication methods.
454: This allows a client to prefer one method (e.g.
1.1 stevesk 455: .Cm keyboard-interactive )
456: over another method (e.g.
457: .Cm password )
458: The default for this option is:
459: .Dq hostbased,publickey,keyboard-interactive,password .
460: .It Cm Protocol
461: Specifies the protocol versions
462: .Nm ssh
463: should support in order of preference.
464: The possible values are
465: .Dq 1
466: and
467: .Dq 2 .
468: Multiple versions must be comma-separated.
469: The default is
470: .Dq 2,1 .
471: This means that
472: .Nm ssh
473: tries version 2 and falls back to version 1
474: if version 2 is not available.
475: .It Cm ProxyCommand
476: Specifies the command to use to connect to the server.
477: The command
478: string extends to the end of the line, and is executed with
479: .Pa /bin/sh .
480: In the command string,
481: .Ql %h
482: will be substituted by the host name to
483: connect and
484: .Ql %p
485: by the port.
486: The command can be basically anything,
487: and should read from its standard input and write to its standard output.
488: It should eventually connect an
489: .Xr sshd 8
490: server running on some machine, or execute
491: .Ic sshd -i
492: somewhere.
493: Host key management will be done using the
494: HostName of the host being connected (defaulting to the name typed by
495: the user).
1.7 jmc 496: Setting the command to
497: .Dq none
1.6 markus 498: disables this option entirely.
1.1 stevesk 499: Note that
500: .Cm CheckHostIP
501: is not available for connects with a proxy command.
502: .Pp
503: .It Cm PubkeyAuthentication
504: Specifies whether to try public key authentication.
505: The argument to this keyword must be
506: .Dq yes
507: or
508: .Dq no .
509: The default is
510: .Dq yes .
511: This option applies to protocol version 2 only.
512: .It Cm RemoteForward
513: Specifies that a TCP/IP port on the remote machine be forwarded over
514: the secure channel to the specified host and port from the local machine.
515: The first argument must be a port number, and the second must be
516: .Ar host:port .
517: IPv6 addresses can be specified with an alternative syntax:
518: .Ar host/port .
519: Multiple forwardings may be specified, and additional
520: forwardings can be given on the command line.
521: Only the superuser can forward privileged ports.
522: .It Cm RhostsAuthentication
523: Specifies whether to try rhosts based authentication.
524: Note that this
525: declaration only affects the client side and has no effect whatsoever
526: on security.
527: Most servers do not permit RhostsAuthentication because it
528: is not secure (see
529: .Cm RhostsRSAAuthentication ) .
530: The argument to this keyword must be
531: .Dq yes
532: or
533: .Dq no .
534: The default is
535: .Dq no .
1.4 stevesk 536: This option applies to protocol version 1 only and requires
537: .Nm ssh
538: to be setuid root and
539: .Cm UsePrivilegedPort
540: to be set to
541: .Dq yes .
1.1 stevesk 542: .It Cm RhostsRSAAuthentication
543: Specifies whether to try rhosts based authentication with RSA host
544: authentication.
545: The argument must be
546: .Dq yes
547: or
548: .Dq no .
549: The default is
550: .Dq no .
551: This option applies to protocol version 1 only and requires
552: .Nm ssh
553: to be setuid root.
554: .It Cm RSAAuthentication
555: Specifies whether to try RSA authentication.
556: The argument to this keyword must be
557: .Dq yes
558: or
559: .Dq no .
560: RSA authentication will only be
561: attempted if the identity file exists, or an authentication agent is
562: running.
563: The default is
564: .Dq yes .
565: Note that this option applies to protocol version 1 only.
566: .It Cm SmartcardDevice
1.11 jmc 567: Specifies which smartcard device to use.
568: The argument to this keyword is the device
1.1 stevesk 569: .Nm ssh
570: should use to communicate with a smartcard used for storing the user's
1.11 jmc 571: private RSA key.
572: By default, no device is specified and smartcard support is not activated.
1.1 stevesk 573: .It Cm StrictHostKeyChecking
574: If this flag is set to
575: .Dq yes ,
576: .Nm ssh
577: will never automatically add host keys to the
578: .Pa $HOME/.ssh/known_hosts
579: file, and refuses to connect to hosts whose host key has changed.
580: This provides maximum protection against trojan horse attacks,
581: however, can be annoying when the
582: .Pa /etc/ssh/ssh_known_hosts
583: file is poorly maintained, or connections to new hosts are
584: frequently made.
585: This option forces the user to manually
586: add all new hosts.
587: If this flag is set to
588: .Dq no ,
589: .Nm ssh
590: will automatically add new host keys to the
591: user known hosts files.
592: If this flag is set to
593: .Dq ask ,
594: new host keys
595: will be added to the user known host files only after the user
596: has confirmed that is what they really want to do, and
597: .Nm ssh
598: will refuse to connect to hosts whose host key has changed.
599: The host keys of
600: known hosts will be verified automatically in all cases.
601: The argument must be
602: .Dq yes ,
603: .Dq no
604: or
605: .Dq ask .
606: The default is
607: .Dq ask .
608: .It Cm UsePrivilegedPort
609: Specifies whether to use a privileged port for outgoing connections.
610: The argument must be
611: .Dq yes
612: or
613: .Dq no .
614: The default is
615: .Dq no .
1.4 stevesk 616: If set to
617: .Dq yes
618: .Nm ssh
619: must be setuid root.
1.1 stevesk 620: Note that this option must be set to
621: .Dq yes
622: if
623: .Cm RhostsAuthentication
624: and
625: .Cm RhostsRSAAuthentication
626: authentications are needed with older servers.
627: .It Cm User
628: Specifies the user to log in as.
629: This can be useful when a different user name is used on different machines.
630: This saves the trouble of
631: having to remember to give the user name on the command line.
632: .It Cm UserKnownHostsFile
633: Specifies a file to use for the user
634: host key database instead of
635: .Pa $HOME/.ssh/known_hosts .
1.8 jakob 636: .It Cm VerifyHostKeyDNS
637: Specifies whether to verify the remote key using DNS and SSHFP resource
638: records.
639: The default is
640: .Dq no .
1.12 jakob 641: Note that this option applies to protocol version 2 only.
1.1 stevesk 642: .It Cm XAuthLocation
1.5 stevesk 643: Specifies the full pathname of the
1.1 stevesk 644: .Xr xauth 1
645: program.
646: The default is
647: .Pa /usr/X11R6/bin/xauth .
648: .El
649: .Sh FILES
650: .Bl -tag -width Ds
651: .It Pa $HOME/.ssh/config
652: This is the per-user configuration file.
653: The format of this file is described above.
654: This file is used by the
655: .Nm ssh
656: client.
657: This file does not usually contain any sensitive information,
658: but the recommended permissions are read/write for the user, and not
659: accessible by others.
660: .It Pa /etc/ssh/ssh_config
661: Systemwide configuration file.
662: This file provides defaults for those
663: values that are not specified in the user's configuration file, and
664: for those users who do not have a configuration file.
665: This file must be world-readable.
666: .El
1.13 ! jmc 667: .Sh SEE ALSO
! 668: .Xr ssh 1
1.1 stevesk 669: .Sh AUTHORS
670: OpenSSH is a derivative of the original and free
671: ssh 1.2.12 release by Tatu Ylonen.
672: Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
673: Theo de Raadt and Dug Song
674: removed many bugs, re-added newer features and
675: created OpenSSH.
676: Markus Friedl contributed the support for SSH
677: protocol versions 1.5 and 2.0.