ssh2_config(4)ssh2_config(4)NAMEssh2_config - Configuration file for the Secure Shell client
DESCRIPTION
The configuration file for the Secure Shell client reads configuration
data from the following sources, in this order: the system's global
configuration file (/etc/ssh2/ssh2_config) the user's configuration
file ($HOME/.ssh2/ssh2_config) the command-line options
For each keyword, the last obtained value will be effective.
A configuration file can begin with metaconfiguration information
(i.e., information about the configuration language).
If the configuration file starts with a line matching the following
egrep style regex #.*VERSION[ \t\f]+[0-9]+.[0-9]+
it is interpreted as the version of the configuration style. If this
line is not found, the version is 1.0.
The version string can be followed by one or more metaconfiguration
parameters. The lines have to start with the pound (#) sign, and they
have to match the following egrep style regex: #[# \t]+[A-Z0-9]+[
\t]+.*
Parsing of metaconfiguration directives stops with the first non-recog‐
nized line.
Version 1.1 and later recognize the following parameter: Denotes the
regex syntax used to parse the configuration file. The value can be
egrep, ssh, zsh_fileglob or traditional. The zsh_fileglob and tradi‐
tional arguments are synonymous. The arguments are not case-sensitive.
In the ssh2_config file, expression denotes the start of a per-host
configuration block, where expression is an arbitrary string which
distinguishes this block from others. The expression can contain wild‐
cards, and will be compared with the hostname obtained from the command
line. If it matches, the block will be evaluated. Evaluation stops at
the next expression statement. If more than one match is found, all
will be evaluated and the last obtained values for parameters will be
effective. The expression does not have to be a real hostname, as long
as the expression block contains a Host configuration parameter that
defines the real hostname.
Empty lines and lines starting with the pound (#) sign are ignored as
comments.
Otherwise a line is of the format keyword arguments.
It is possible to enclose arguments in quotes, and use the standard C
convention. Configuration files are case sensitive, but keywords are
not case sensitive. Illegal keywords will prevent Secure Shell clients
from starting successfully.
Following are the ssh2_config file keywords: Specifies the authentica‐
tion methods that the client uses. Supported authentication methods are
keyboard-interactive, password, publickey, kerberos-2@ssh.com, ker‐
beros-tgt-2@ssh.com, and hostbased. The default is publickey, keyboard-
interactive, password.
You can specify any or all authentication methods. Use a comma-
separated list when specifying more than one argument. The order
in which authentication methods are listed is the order in which
they are used. The least interactive methods should be placed
first in this list. The first successful authentication is the
one used. Specifies whether to display the Authentication suc‐
cessful message after authentication has completed successfully.
This is intended to prevent malicious servers from getting
information from the user by displaying additional password or
passphrase prompts. The argument must be yes or no. The default
is yes. Specifies whether password or passphrase querying is
disabled. This keyword is useful in scripts and other batch jobs
where you don't have a user to supply the password. If the
StrictHostKeyChecking keyword is set to ask, the client assumes
a no answer because user input is not accepted when invoked with
BatchMode yes. The argument must be yes or no. The default is
no. Specifies the ciphers to use for encrypting the session.
Supported ciphers are aes, blowfish, twofish, arcfour, cast,
des, and 3des. Arguments for this keyword are any and anystd,
that allow only standard ciphers and none, and anycipher that
allows any available cipher or excludes non-encrypting cipher
mode none but allows all others. The AnyStdCipher argument is
the same as the AnyCipher argument, but includes only those
ciphers mentioned in the IETF-SecSH-draft (excluding none). The
AnyStdCipher argument is the default. Specifies whether to
clear all defined remote and local forwarded ports. The argument
must be yes or no. The scp command always automatically clears
all forwarded ports. Specifies whether to use compression. The
argument must be yes or no. Writes debug messages to specified
file. (Remember to enable debugging.) Determines the system
name if only the base part of the system name is available by
normal means (for example, those used by the hostname command).
The results are appended to the found system name, if the system
name returned does not contain a dot ( . ). This keyword is only
useful if set in the global configuration file. Specifies
whether to redirects input from /dev/null. The argument must be
yes or no. The default is no. Specifies the initialization
string for the external key provider for accessing external keys
for user authentication. See ssh-externalkeys(4) for more infor‐
mation. This feature is only available when external key sup‐
port is included in the software. Specifies the external key
provider for accessing external keys for user authentication.
See ssh-externalkeys(4) for more information. This feature is
only available when external key support is included in the
software. Specifies whether or not to configure the suite of r*
commands (rsh, rlogin, and rcp commands and applications that
use the rcmd function) to automatically use a Secure Shell con‐
nection.
The argument must be yes or no. The default is no in the
/etc/ssh2/ssh2_config file and yes in the $HOME/.ssh2/ssh2_con‐
fig file of the root account.
For this option to work, TcpForwarding must be enabled on the
remote Secure Shell server. Sets the escape character. The
escape character can also be set on the command line. The argu‐
ment should be a single character; for example, ^ followed by a
letter or none to disable the escape character entirely (making
the connection transparent for binary data). The default is
escape character is the tilde (~). Specifies whether to allo‐
cate a terminal if a command is given. The argument must be yes
or no. The default is no. Specifies whether the connection to
the authentication agent (if any) will be forwarded to the
remote system. The argument must be yes or no. The default is
yes. Specifies whether X11 connections will be automatically
redirected over the secure channel and if the DISPLAY environ‐
ment variable will be set. The argument must be yes or no. The
default is yes. Specifies whether remote hosts can connect to
locally forwarded ports. The argument must be yes or no. The
default is no. Specifies whether the client will go to the
background after authentication is complete and the forwardings
established. This is useful if the ssh2 client is going to ask
for passwords or passphrases, but the user wants it in the back‐
ground. The argument must be yes, no, or oneshot. With oneshot,
the client behaves the same way as with the ssh2 -f o command.
The default is no. Specifies the host name to log into. With
the expression format, this can be used to specify nicknames or
abbreviations for hosts. The default is the name given on the
command line. Numeric IP addresses are also permitted (both on
the command line and in HostName specifications).
The expression format denotes the start of a per-host configura‐
tion block, where expression is an arbitrary string that distin‐
guishes this block from others. The expressionformat can contain
wildcards. The expression will be compared with the host name
obtained from the command-line, and if it matches, the block
will be evaluated. Evaluation stops at the next expression: for‐
mat. If more than one match is found, the last obtained value
will be effective. Note that the expression format does not have
to be a real host name, as long as the expression block contains
a host configuration parameter, where the real host name to con‐
nect is defined. Specifies the Certificate Authority (CA) cer‐
tificate (in binary or PEM [base64] format) to be used when
authenticating remote hosts. The certificate received from the
host must be issued by the specified CA and must contain an
alternate, fully qualified domain name. If the remote host name
is not fully qualified, the domain specified by the DefaultDo‐
main configuration option is appended to it before comparing it
to certificate alternate names. If no CA certificates are spec‐
ified in the configuration file, the protocol tries to do key
exchange with ordinary public keys. Otherwise certificates are
preferred. Multiple CAs are permitted. Similar to HostCA, but
disables Certificate Revolation List (CRL) checking for the
given ca-certificate. Specifies the name of the user's identi‐
fication file. Specifies whether the keepalive messages are
sent. If they are sent, the loss of a connection or crash of a
system will be noticed. However, this means that connections
will die if the route is down temporarily. The argument must be
yes or no. The default is yes (send keepalive messages). To dis‐
able keepalive messages, set the value to no in both the server
and the client configuration files. CRLs are automatically
retrieved from the CRL distribution point defined in the cer‐
tificate to be checked if the point exists. Otherwise, the
comma-separated server list given by the LdapServers keyword is
used. If intermediate CA certificates are needed in certificate
validity checking, this keyword must be used or retrieving the
certificates will fail. Specifies that a TCP/IP port on the
local system be forwarded over the secure channel to the given
host:port on the remote system. The argument format is
port:host:hostport. See the -L option in ssh2(1) for information
on forward definitions. Specifies the Message Authentication
Code (MAC) algorithm to use for data integrity verification.
Supported MAC algorithms are hmac-sha1, hmac-sha1-96, hmac-md5,
hmac-md5-96, hmac-ripemd160, and hmac-ripemd160-96, of which
hmac-sha1, hmac-sha1-96, hmac-md5 and hmac-md5-96 are included
in all distributions.
Use a comma-separated list when specifying more than one MAC.
Special arguments to this keyword are Any, Anystd, none, AnyMac
and AnyStdMac. The Any argument allows all MACs including none;
the AnyStd argument allows only those mentioned in the IETF-
SecSH draft and none; the none argument forbids any use of MACs;
the AnyMac and AnyStdMac arguments are analogous to the first
two cases but exclude none. The AnyStdMac argument is the
default. Specifies whether to enable the TCP_NODELAY socket
option . The argument must be yes or no. The default is no.
Specifies the number of password prompts permitted. The argument
must be an integer. The default value is 3. The server also
limits the number of attempts, so setting this value larger than
the server's value does not have any effect. Specifies the
password prompt displayed when users log in. Variables %U and %H
can be used to give the user's login name and host name, respec‐
tively. Specifies the port number on the remote host. The
default is port number 22. Supresses all warnings and diagnos‐
tic messages, except fatal errors. The argument must be yes or
no. The default is no. Specifies the name of the user's random
seed file. The default is the /$HOME/.ssh2/random_seed file,
where $HOME is the name of the user's account. Specifies the
number of seconds between key exchanges. The default is 3600
seconds (one hour). A value of 0 (zero) turns rekey requests
off. This does not prevent the server from requesting rekeys.
Other servers might not have rekey capabilities implemented cor‐
rectly, and might not support rekey requests. This means that
they might terminate the connection or the server might crash.
Specifies that a TCP/IP port on the remote system be forwarded
over the secure channel to the specified host:port from the
local system. The argument format is port:host:hostport. See
the -R option in the ssh2(1) file for more information on for‐
ward definitions. Specifies an environment variable to set in
the server before executing a shell or command. The value
should be of the form VAR=val. The val field can be empty.
You can specify multiple variables by using multiple options.
Setting the variable can fail on the server end. See SettableEn‐
vironmentVars in sshd2_config(4).
Note
This feature is not implemented in Secure Shell versions 3.0.x
and earlier. Specifies whether to forward an SSH1 agent connec‐
tion. Arguments are none, traditional, and ssh2. With the none
(default) value, the SSH1 agent connection is not forwarded.
With the traditional value, the SSH1 agent connection is for‐
warded transparently. The traditional value can always be used,
but it constitutes a security risk, because the agent does not
get the information about the forwarding path. The ssh2 value
makes SSH1 agent forwarding similar to SSH2 agent forwarding,
and with this mode the agent gets the information about the
agent forwarding path. The ssh2 value can be used only if you
use ssh-agent2 in SSH1 compatibility mode. Specifies whether to
use SSH1 compatibility codes. The argument must be yes or no.
With this option, ssh1 executes if the server supports only SSH
1.x protocols. Specifies whether to use SSH1 internal emulation
code. With this option, ssh2 can communicate with ssh1
servers, without using an external ssh1 program. The argument
must be yes or no. (This option currently is not supported.)
Specifies whether to send SSH_MSG_IGNORE packets to mask the
password length. The argument must be yes or no. The default
is yes. Specifies the path to the ssh1 client, which is exe‐
cuted if the server supports only SSH 1.x protocols. The argu‐
ments for ssh2 are passed to the ssh1 client. Overrides the
value of the SSH_SOCKS_SERVER environment variable. Specifies
whether the client automatically adds new host keys to the
$HOME/.ssh2/hostkeys file. The argument must be yes, ask, or
no. The default is ask.
If the argument is set to yes, new host keys will never be added
automatically to the hostkeys file, and connections will be
refused to hosts whose host key has changed. This provides maxi‐
mum protection against man-in-the-middle attacks. The yes argu‐
ment forces the user to add all new hosts manually.
If the argument is set to ask, new hosts will be added automati‐
cally to the hostkeys file after the user confirms this is the
intent. If a host key changes, you will be asked if you want to
accept the new host key as the only valid one.
If the argument is set to no, new hosts will be added automati‐
cally to the hostkeys file without prompting the user.
The host keys of known hosts will be verified automatically.
Specifies whether the Xserver should treat X11 client applica‐
tions as trusted (with forwarding X11). Treating X11 applica‐
tions as untrusted avoids the problem that logging into a com‐
promised host allows applications on that host to detect
any input operations via the forwarded X11 connection. You
should only use this option if the X client program you are run‐
ning needs exceptional privileges for the Xserver. The ssh1
internal emulation mode does not support the SECURITY extension.
The argument must be yes or no. The default is no. Specifies
the user name. This keyword can be useful if you have a differ‐
ent user name on different systems. You do not have to specify
the user name on the command line. Use SOCKS5 instead of SOCKS4
when connecting to remote host. You have to set SocksServer to a
meaningful value. The argument must be yes or no. The default
is no (i.e., use SOCKS4). Specifies whether debugging messages
are displayed. The argument must be yes or no. The default is
no. Specifies where to find the xauth program. The default is
set by the configure script.
LEGAL NOTICES
SSH is a registered trademark of SSH Communication Security Ltd.
SEE ALSO
Commands: ssh2(1)
Files: ssh_certificates(4)ssh2_config(4)
