ssh_config man page on Solaris

Man page or keyword search:  
man Server   20652 pages
apropos Keyword Search (all sections)
Output format
Solaris logo
[printable version]

ssh_config(4)			 File Formats			 ssh_config(4)

NAME
       ssh_config - ssh configuration file

SYNOPSIS
       /etc/ssh/ssh_config

       $HOME/.ssh/config

DESCRIPTION
       The first ssh_config path, above, provides the system-wide defaults for
       ssh(1). The second version is user-specific defaults for ssh.

       ssh obtains configuration data from  the	 following  sources  (in  this
       order):	  command    line    options,	 user's	  configuration	  file
       ($HOME/.ssh/config),	and	system-wide	configuration	  file
       (/etc/ssh/ssh_config).  For  each  parameter,  the first obtained value
       will be used. The configuration files  contain  sections	 bracketed  by
       Host  specifications,  and  that section is applied only for hosts that
       match one of the patterns given in the specification. The matched  host
       name is the one given on the command line.

       Since  the  first  obtained value for each parameter is used, host-spe‐
       cific declarations should be given near the beginning of the file,  and
       general defaults at the end.

       The configuration file has the following format and syntax:

	   o	  Empty lines and lines starting with # are comments.

	   o	  Non-commented lines are of the form:

		    keyword arguments

	   o	  Configuration	 options  can  be  separated  by whitespace or
		  optional whitespace and exactly one equal sign.  The	latter
		  format allows you to avoid the need to quote whitespace when
		  specifying configuration options using the -o option to ssh,
		  scp, and sftp.

       The  possible  keywords	and their meanings are listed below. Note that
       keywords are case-insensitive and arguments are case-sensitive.

       BatchMode

	   The argument must be yes or no. If set to yes,  passphrase/password
	   querying  will  be  disabled.  This option is useful in scripts and
	   other batch jobs where you have no user to supply the password.

       BindAddress

	   Specify the interface to transmit from on  machines	with  multiple
	   interfaces  or  aliased  addresses.	Note that this option does not
	   work if UsePrivilegedPort is set to yes.

       CheckHostIP

	   If this flag is set to yes, ssh will additionally check the host IP
	   address  in	the  known_hosts  file. This allows ssh to detect if a
	   host key changed due to DNS spoofing. If the option is set  to  no,
	   the check will not be executed.

       Cipher

	   Specifies  the cipher to use for encrypting the session in protocol
	   version 1; blowfish and 3des are the only valid values.

       Ciphers

	   Specifies the ciphers allowed for protocol version 2	 in  order  of
	   preference.	Multiple  ciphers must be comma-separated. The default
	   is:

	     aes128-ctr, aes128-cbc, arcfour, 3des-cbc, blowfish-cbc,
	     aes192-ctr, aes192-cbc, aes256-ctr, aes256-cbc

       ClearAllForwardings

	   Specifies that all local,  remote,  and  dynamic  port  forwardings
	   specified  in  the  configuration  files  or on the command line be
	   cleared. This option is primarily useful when  used	from  the  ssh
	   command  line  to clear port forwardings set in configuration files
	   and is automatically set by scp(1) and sftp(1). The	argument  must
	   be yes or no. The default is no.

       Compression

	   Specifies  whether  to use compression. The argument must be yes or
	   no. Defaults to no.

       CompressionLevel

	   Specifies the compression level to use if compression  is  enabled.
	   The	argument  must	be an integer from 1 (fast) to 9 (slow, best).
	   The default level is 6, which is good for most applications.	 kNote
	   that this option applies to protocol version 1 only.

       ConnectionAttempts

	   Specifies the number of tries (one per second) to make before fall‐
	   ing back to rsh or exiting. The argument must be an	integer.  This
	   can	be  useful  in	scripts if the connection sometimes fails. The
	   default is 1.

       ConnectTimeout

	   Specifies the timeout (in seconds) used when connecting to the  ssh
	   server, instead of using the default system TCP timeout. This value
	   is used only when the target is down or truly unreachable, not when
	   it refuses the connection.

       DynamicForward

	   Specifies that a TCP/IP port on the local machine be forwarded over
	   the secure channel. The application protocol is then used to deter‐
	   mine where to connect to from the remote machine. The argument must
	   be a port number. Currently the SOCKS4 protocol is  supported,  and
	   ssh will act as a SOCKS4 server. Multiple forwardings can be speci‐
	   fied and additional forwardings can be  specified  on  the  command
	   line. Only the superuser can forward privileged ports.

       EscapeChar

	   Sets	 the  escape  character.  The default is tilde (~). The escape
	   character can also be set on the command line. The argument	should
	   be  a single character, ^, followed by a letter, or none to disable
	   the escape character entirely (making  the  connection  transparent
	   for binary data).

       FallBackToRsh

	   Specifies  that  if	connecting  with ssh fails due to a connection
	   refused error (there is no sshd(8) listening on the	remote	host),
	   rsh(1) should automatically be used instead (after a suitable warn‐
	   ing about the session being unencrypted). The argument must be  yes
	   or no.

       ForwardAgent

	   Specifies  whether  the  connection to the authentication agent (if
	   any) will be forwarded to the remote machine. The argument must  be
	   yes or no. The default is no.

	   Agent  forwarding  should  be  enabled with caution. Users with the
	   ability to bypass file permissions on  the  remote  host  (for  the
	   agent's  Unix-domain socket) can access the local agent through the
	   forwarded connection. An attacker cannot obtain key	material  from
	   the	agent,	however	 he  can  perform  operations on the keys that
	   enable him to authenticate using the	 identities  loaded  into  the
	   agent.

       ForwardX11

	   Specifies  whether X11 connections will be automatically redirected
	   over the secure channel and DISPLAY set. The argument must  be  yes
	   or no. The default is no.

	   X11 forwarding should be enabled with caution. Users with the abil‐
	   ity to bypass file permissions on the remote host (for the user's X
	   authorization  database)  can  access the local X11 display through
	   the forwarded connection. An attacker might then be able to perform
	   activities such as keystroke monitoring.

       GatewayPorts

	   Specifies whether remote hosts are allowed to connect to local for‐
	   warded ports. By default, ssh binds local port forwardings  to  the
	   loopback  address. This prevents other remote hosts from connecting
	   to forwarded ports. GatewayPorts can be used to  specify  that  ssh
	   should  bind	 local	port forwardings to the wildcard address, thus
	   allowing remote hosts to connect to forwarded ports.	 The  argument
	   must be yes or no. The default is no.

       GlobalKnownHostsFile

	   Specifies a file to use instead of /etc/ssh/ssh_known_hosts.

       GSSAPIAuthentication

	   Enables/disables GSS-API user authentication. The default is yes.

       GSSAPIDelegateCredentials

	   Enables/disables GSS-API credential forwarding. The default is no.

       GSSAPIKeyExchange

	   Enables/disables  GSS-API-authenticated  key exchanges. The default
	   is yes.

	   This option is intended primarily to allow users to disable the use
	   of  GSS-API	key  exchange  for  SSHv2  when	 it would otherwise be
	   selected and then fail (due to server misconfiguration,  for	 exam‐
	   ple). SSHv2 key exchange failure always results in disconnection.

	   This option also enables the use of the GSS-API to authenticate the
	   user to the server after the key exchange. Note  that  GSS-API  key
	   exchange  can  succeed  but the subsequent authentication using the
	   GSS-API fail if the server does not authorize the user's GSS	 prin‐
	   cipal name to the target user account.

       Host

	   Restricts  the following declarations (up to the next Host keyword)
	   to be only for those hosts that match one  of  the  patterns	 given
	   after  the  keyword. An asterisk (*) and a question mark (?) can be
	   used as wildcards in the patterns. A single asterisk as  a  pattern
	   can	be  used to provide global defaults for all hosts. The host is
	   the host name argument given on the command line (that is, the name
	   is not converted to a canonicalized host name before matching).

       HostbasedAuthentication

	   Specifies  whether  to  try rhosts-based authentication with public
	   key authentication. The argument must be yes or no. The default  is
	   no.	This  option applies to protocol version 2 only and is similar
	   to RhostsRSAAuthentication.

       HostKeyAlgorithms

	   Specifies the protocol version  2  host  key	 algorithms  that  the
	   client  wants  to  use in order of preference. The default for this
	   option is: ssh-rsa,ssh-dss.

       HostKeyAlias

	   Specifies an alias that should be used instead  of  the  real  host
	   name	 when  looking up or saving the host key in the host key data‐
	   base files. This option is useful for tunneling ssh connections  or
	   for multiple servers running on a single host.

       HostName

	   Specifies the real host name to log into. This can be used to spec‐
	   ify nicknames or abbreviations for hosts. Default is the name given
	   on  the command line. Numeric IP addresses are also permitted (both
	   on the command line and in HostName specifications).

       IdentityFile

	   Specifies a file from which the user's RSA  or  DSA	authentication
	   identity  is	 read. The default is $HOME/.ssh/identity for protocol
	   version 1 and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for  protocol
	   version  2. Additionally, any identities represented by the authen‐
	   tication agent will be used for authentication. The file  name  can
	   use	the  tilde  syntax  to refer to a user's home directory. It is
	   possible to have multiple identity files specified in configuration
	   files; all these identities will be tried in sequence.

       IgnoreIfUnknown

	   Specifies  a	 comma-separated list of ssh_config parameters, which,
	   if unknown to ssh(1), are to be ignored by ssh.

	   This parameter is primarily intended to be  used  in	 the  per-user
	   ssh_config, ~/.ssh/config. While this parameter can also be used in
	   the system wide /etc/ssh/ssh_config file, it is  generally  useless
	   as  the capabilities of the ssh(1) client on that host should match
	   that file.

       KeepAlive

	   Specifies whether the system should send TCP keepalive messages  to
	   the	other side. If they are sent, death of the connection or crash
	   of one of the machines will	be  properly  noticed.	However,  this
	   means  that connections die if the route is down temporarily, which
	   can be a source of annoyance.

	   The default is yes (to send keepalives),  which  means  the	client
	   notices  if	the network goes down or the remote host dies. This is
	   important in scripts, and  many  users  want	 it  too.  To  disable
	   keepalives,	the  value  should be set to no in both the server and
	   the client configuration files.

       LocalForward

	   Specifies that a TCP/IP port on the local machine be forwarded over
	   the	secure	channel	 to a given host:port from the remote machine.
	   The first argument must be a port number, and the  second  must  be
	   host:port. IPv6 addresses can be specified with an alternative syn‐
	   tax: host/port. Multiple forwardings can  be	 specified  and	 addi‐
	   tional forwardings can be given on the command line. Only the supe‐
	   ruser can forward privileged ports.

       LogLevel

	   Gives the verbosity level that is used when logging	messages  from
	   ssh.	 The  possible values are: FATAL, ERROR, QUIET, INFO, VERBOSE,
	   DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.  DEBUG  and
	   DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels
	   of verbose output.

       MACs

	   Specifies the MAC (message authentication code) algorithms in order
	   of  preference. The MAC algorithm is used in protocol version 2 for
	   data integrity protection. Multiple algorithms must be  comma-sepa‐
	   rated. The default is hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96.

       NoHostAuthenticationForLocalhost

	   This	 option	 can  be  used	if the home directory is shared across
	   machines. In this case localhost will refer to a different  machine
	   on  each  of the machines and the user will get many warnings about
	   changed host keys. However, this option disables  host  authentica‐
	   tion for localhost. The argument to this keyword must be yes or no.
	   The default is to check the host key for localhost.

       NumberOfPasswordPrompts

	   Specifies the number of attempts before giving up for password  and
	   keyboard-interactive	 methods. Attempts for each method are counted
	   separately. The argument to this keyword must be  an	 integer.  The
	   default is 3.

       PasswordAuthentication

	   Specifies  whether  to use password authentication. The argument to
	   this keyword must be yes or no. Note that this  option  applies  to
	   both protocol versions 1 and 2. The default is yes.

       Port

	   Specifies  the  port	 number	 to  connect  on  the remote host. The
	   default is 22.

       PreferredAuthentications

	   Specifies the order in which	 the  client  should  try  protocol  2
	   authentication  methods.  This allows a client to prefer one method
	   (for example, keyboard-interactive) over another method (for	 exam‐
	   ple,	 password).  The  default  for	this option is: hostbased,pub‐
	   lickey,keyboard-interactive,password.

       Protocol

	   Specifies the protocol versions ssh	should	support	 in  order  of
	   preference. The possible values are 1 and 2. Multiple versions must
	   be comma-separated. The default is 2,1. This means that  ssh	 tries
	   version  2  and  falls back to version 1 if version 2 is not avail‐
	   able.

       ProxyCommand

	   Specifies the command to use to connect to the server. The  command
	   string  extends  to	the  end  of  the  line,  and is executed with
	   /bin/sh. In the command string, %h is substituted by the host  name
	   to connect and %p by the port. The string can be any valid command,
	   and should read from its standard input and write to	 its  standard
	   output.  It should eventually connect an sshd(1M) server running on
	   some machine, or execute sshd -i  somewhere.	 Host  key  management
	   will	 be  done  using  the  HostName	 of  the  host being connected
	   (defaulting to the name typed by the user). Note  that  CheckHostIP
	   is not available for connects with a proxy command.

       PubkeyAuthentication

	   Specifies whether to try public key authentication. The argument to
	   this keyword must be yes or no. The default	is  yes.  This	option
	   applies to protocol version 2 only.

       RemoteForward

	   Specifies  that  a  TCP/IP  port on the remote machine be forwarded
	   over the secure  channel  to	 a  given  host:port  from  the	 local
	   machine.  The  first argument must be a port number, and the second
	   must be host:port. IPv6 addresses can be specified with an alterna‐
	   tive	 syntax:  host/port.  You can specify multiple forwardings and
	   give additional forwardings on the command line. Only the superuser
	   can forward privileged ports.

       RhostsAuthentication

	   Specifies  whether  to  try	rhosts-based authentication. Note that
	   this declaration affects only the client side  and  has  no	effect
	   whatsoever  on security. Disabling rhosts authentication can reduce
	   authentication time on slow connections when rhosts	authentication
	   is  not  used.  Most	 servers  do  not  permit RhostsAuthentication
	   because it is not secure (see RhostsRSAAuthentication).  The	 argu‐
	   ment to this keyword must be yes or no. This option applies only to
	   the protocol version 1 and requires that ssh	 be  setuid  root  and
	   that UsePrivilegedPort be set to yes.

       RhostsRSAAuthentication

	   Specifies  whether to try rhosts-based authentication with RSA host
	   authentication. This is the primary authentication method for  most
	   sites.  The argument must be yes or no. This option applies only to
	   the protocol version 1 and requires that ssh	 be  setuid  root  and
	   that UsePrivilegedPort be set to yes.

       StrictHostKeyChecking

	   If  this  flag is set to yes, ssh will never automatically add host
	   keys to the $HOME/.ssh/known_hosts file, and will refuse to connect
	   hosts  whose host key has changed. This provides maximum protection
	   against trojan horse attacks. However, it can be a source of incon‐
	   venience  if	 you  do  not have good /etc/ssh/ssh_known_hosts files
	   installed and frequently connect new hosts. This option forces  the
	   user	 to  manually  add any new hosts. Normally this option is dis‐
	   abled, and new hosts will automatically be added to the known  host
	   files.  The host keys of known hosts will be verified automatically
	   in either case. The argument must be yes or no or ask. The  default
	   is ask.

       UseOpenSSLEngine

	   Specifies  whether  ssh  should  use the OpenSSL PKCS#11 engine for
	   offloading cryptographic operations to the Cryptographic Framework.
	   Cryptographic  operations  are  accelerated	according  to  the the
	   available installed plug-ins. When no suitable plug-ins are present
	   this option does not have an effect. The default is yes.

       UsePrivilegedPort

	   Specifies  whether  to  use	a privileged port for outgoing connec‐
	   tions. The argument must be yes or no. The  default	is  yes.  Note
	   that	 setting  this option to no turns off RhostsAuthentication and
	   RhostsRSAAuthentication. If set to yes ssh  must  be	 setuid	 root.
	   Defaults to no.

       User

	   Specifies  the  user	 to  log in as. This can be useful if you have
	   different user names on different  machines.	 This  saves  you  the
	   trouble of having to remember to enter the user name on the command
	   line.

       UserKnownHostsFile

	   Specifies a file to use instead of $HOME/.ssh/known_hosts.

       UseRsh

	   Specifies that rlogin or rsh should be used for this	 host.	It  is
	   possible  that  the	host  does  not support the ssh protocol. This
	   causes ssh to immediately execute rsh(1). All other options (except
	   HostName) are ignored if this has been specified. The argument must
	   be yes or no.

       XAuthLocation

	   Specifies the location of the  xauth(1)  program.  The  default  is
	   /usr/openwin/bin/xauth.

SEE ALSO
       ssh(1),	   ssh-http-proxy-connect(1),	  ssh-socks5-proxy-connect(1),
       sshd(1M), sshd_config(4), kerberos(5)

SunOS 5.10			  5 Jan 2012			 ssh_config(4)
[top]

List of man pages available for Solaris

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net