ssh_config(4)
NAME
ssh_config - ssh configuration file
SYNOPSIS
/etc/ssh/ssh_config
$HOME/.ssh/config
DESCRIPTION
The first version of ssh_config, above, is the host view of
defaults for ssh(1). The second version is user-specific
defaults for ssh.
ssh obtains configuration data from the following sources
(in this order): command line options, user's configuration
file ($HOME/.ssh/config), and system-wide configuration file
(/etc/ssh/ssh_config). For each parameter, the first
obtained value will be used. The configuration files contain
sections bracketed by Host specifications, and that section
is applied only for hosts that match one of the patterns
given in the specification. The matched host name is the one
given on the command line.
Since the first obtained value for each parameter is used,
host-specific declarations should be given near the begin-
ning of the file, and general defaults at the end.
In the configuration file, empty lines and lines starting
with a hash mark (#) are comments. Otherwise, a line is of
the format: keyword arguments. Interpretation of the file is
case-sensitive. The possible keywords and their meanings are
as follows:
Host Restricts the following declarations (up to the next
Host keyword) to be only for those hosts that match
one of the patterns given after the keyword. Asterisk
(*) and question mark (?) can be used as wildcards in
the patterns. A single * as a pattern can be used to
provide global defaults for all hosts. The host is the
hostname argument given on the command line (that is,
the name is not converted to a canonicalized host name
before matching).
BatchMode
The argument must be yes or no. If set to yes,
passphrase/password querying will be disabled. This
option is useful in scripts and other batch jobs where
you have no user to supply the password.
CheckHostIP
If this flag is set to yes, ssh will additionally
check the host IP address in the known_hosts file.
This allows ssh to detect if a host key changed due to
DNS spoofing. If the option is set to no, the check
will not be executed.
Cipher
Specifies the cipher to use for encrypting the session
in protocol version 1; blowfish and 3des are the only
valid values. Specifies the ciphers allowed for proto-
col version 2 in order of preference. Multiple
ciphers must be comma-separated. The default is 3des-
cbc,blowfish-cbc,aes-128-cbc.
Compression
Specifies whether to use compression. The argument
must be yes or no.
CompressionLevel
Specifies the compression level to use if compression
is enabled. The argument must be an integer from 1
(fast) to 9 (slow, best). The default level is 6,
which is good for most applications..
ConnectionAttempts
Specifies the number of tries (one per second) to make
before falling back to rsh or exiting. The argument
must be an integer. This can be useful in scripts if
the connection sometimes fails.
DSAAuthentication
Specifies whether to try DSA authentication. The argu-
ment to this keyword must be yes or no. DSA authenti-
cation is attempted only if a DSA identity file
exists. Note that this option applies to protocol ver-
sion 2 only.
EscapeChar
Sets the escape character. The default is tilde (~).
The escape character can also be set on the command
line. The argument should be a single character, ^,
followed by a letter, or none to disable the escape
character entirely (making the connection transparent
for binary data).
FallBackToRsh
Specifies that if connecting with ssh fails due to a
connection refused error (there is no sshd(8) listen-
ing on the remote host), rsh(1) should automatically
be used instead (after a suitable warning about the
session being unencrypted). The argument must be yes
or no.
ForwardAgent
Specifies whether the connection to the authentication
agent (if any) will be forwarded to the remote
machine. The argument must be yes or no. The default
is no.
ForwardX11
Specifies whether X11 connections will be automati-
cally redirected over the secure channel and DISPLAY
set. The argument must be yes or no. The default is
no.
GatewayPorts
Specifies whether remote hosts are allowed to connect
to local forwarded ports. The argument must be yes or
no. The default is no.
GlobalKnownHostsFile
Specifies a file to use instead of
/etc/ssh_known_hosts.
HostName
Specifies the real host name to log into. This can be
used to specify nicknames or abbreviations for hosts.
Default is the name given on the command line. Numeric
IP addresses are also permitted (both on the command
line and in HostName specifications).
IdentityFile
Specifies the file from which the user's RSA authenti-
cation identity is read. The default is
$HOME/.ssh/identity in the user's home directory.
Additionally, any identities represented by the
authentication agent will be used for authentication.
The file name can use the tilde (~) syntax to refer to
a user's home directory. It is possible to have multi-
ple identity files specified in configuration files;
all of these identities will be tried in sequence.
IdentityFile2
Specifies the file from which the user's DSA authenti-
cation identity is read. The default is
$HOME/.ssh/id_dsa in the user's home directory. The
file name can use the tilde (~) syntax to refer to a
user's home directory. It is possible to have multiple
identity files specified in configuration files; all
of these identities will be tried in sequence.
KeepAlive
Specifies whether the system should send keepalive
messages to the other side. If they are sent, death of
the connection or crash of one of the machines will be
properly noticed. However, this means that connections
die if the route is down temporarily, which can be a
source of annoyance.
The default is yes (to send keepalives), which means
the client notices if the network goes down or the
remote host dies. This is important in scripts, and
many users want it too. To disable keepalives, the
value should be set to no in both the server and the
client configuration files.
LocalForward
Specifies that a TCP/IP port on the local machine be
forwarded over the secure channel to a given host:port
from the remote machine. The first argument must be a
port number, and the second must be host:port. Multi-
ple forwardings may be specified, and additional for-
wardings can be given on the command line. Only the
superuser can forward privileged ports.
LogLevel
Gives the verbosity level that is used when logging
messages from ssh. The possible values are: QUIET,
FATAL, ERROR, INFO, VERBOSE and DEBUG. The default is
INFO.
NumberOfPasswordPrompts
Specifies the number of password prompts before giving
up. The argument to this keyword must be an integer.
The default is 3.
PasswordAuthentication
Specifies whether to use password authentication. The
argument to this keyword must be yes or no. Note that
this option applies to both protocol versions 1 and 2.
Port Specifies the port number to connect on the remote
host. The default is 22.
Protocol
Specifies the protocol versions ssh should support in
order of preference. The possible values are 1 and 2.
Multiple versions must be comma-separated. The default
is 1,2. This means that ssh tries version 1 and falls
back to version 2 if version 1 is not available.
ProxyCommand
Specifies the command to use to connect to the server.
The command string extends to the end of the line, and
is executed with /bin/sh. In the command string, %h is
substituted by the host name to connect and %p by the
port. The string can be any valid command, and should
read from its standard input and write to its standard
output. It should eventually connect an sshd(1M)
server running on some machine, or execute sshd -i
somewhere. Host key management will be done using the
HostName of the host being connected (defaulting to
the name typed by the user). Note that CheckHostIP is
not available for connects with a proxy command.
RemoteForward
Specifies that a TCP/IP port on the remote machine be
forwarded over the secure channel to a given host:port
from the local machine. The first argument must be a
port number, and the second must be host:port. You can
specify multiple forwardings and give additional for-
wardings on the command line. Only the superuser can
forward privileged ports.
RhostsAuthentication
Specifies whether to try rhosts-based authentication.
Note that this declaration affects only the client
side and has no effect whatsoever on security. Disa-
bling rhosts authentication can reduce authentication
time on slow connections when rhosts authentication is
not used. Most servers do not permit RhostsAuthentica-
tion because it is not secure (see RhostsRSAAuthenti-
cation). The argument to this keyword must be yes or
no.
RhostsRSAAuthentication
Specifies whether to try rhosts-based authentication
with RSA host authentication. This is the primary
authentication method for most sites. The argument
must be yes or no.
StrictHostKeyChecking
If this flag is set to yes, ssh will never automati-
cally add host keys to the $HOME/.ssh/known_hosts
file, and will refuse to connect hosts whose host key
has changed. This provides maximum protection against
trojan horse attacks. However, it can be a source of
inconvenience if you do not have good
/etc/ssh_known_hosts files installed and frequently
connect new hosts. This option forces the user to
manually add any new hosts. Normally this option is
disabled, and new hosts will automatically be added to
the known host files. The host keys of known hosts
will be verified automatically in either case. The
argument must be yes or no.
UsePrivilegedPort
Specifies whether to use a privileged port for outgo-
ing connections. The argument must be yes or no. The
default is yes. Note that setting this option to no
turns off RhostsAuthentication and RhostsRSAAuthenti-
cation.
User Specifies the user to log in as. This can be useful if
you have different user names on different machines.
This saves you the trouble of having to remember to
enter the user name on the command line.
UserKnownHostsFile
Specifies a file to use instead of
$HOME/.ssh/known_hosts.
UseRsh
Specifies that rlogin or rsh should be used for this
host. It is possible that the host does not support
the ssh protocol. This causes ssh to immediately exe-
cute rsh(1). All other options (except HostName) are
ignored if this has been specified. The argument must
be yes or no.
XAuthLocation
Specifies the location of the xauth(1) program. The
default is /usr/openwin/bin/xauth.
SEE ALSO
ssh(1), sshd_config(4)
Man(1) output converted with
man2html