SSH2_CONFIG(5) SSH2 SSH2_CONFIG(5)
NAME
ssh2_config - format of configuration file for ssh2
CONFIGURATION FILES
Ssh2 obtains configuration data from the following sources
(in this order): system's global configuration file (typi
cally /etc/ssh2/ssh2_config), user's configuration file
($HOME/.ssh2/ssh2_config) and the command line options.
For each parameter, the last obtained value will be effec
tive.
The configuration file has the following format:
`expression:' denotes the start of a per-host con
figuration block, where `expression' is an arbi
trary string which distinguishes this block from
others. The `expression' can contain wildcards. The
`expression' will be compared with the hostname
obtained from the command-line, and if it matches,
the block will be evaluated. Evaluation stops at
the next `expression:' statement. If more than one
match is found, all will be evaluated and the last
obtained values for parameters will be effective.
Note that the `expression' doesn't have to be a
real hostname, as long as the `expression' block
contains a "Host" configuration parameter, where
the real hostname to connect is defined.
Empty lines and lines starting with ´#´ are ignored
as comments.
Otherwise a line is of the format "keyword argu
ments". Note that it is possible to enclose argu
ments in quotes, and use the standard C convention.
The possible keywords and their meanings are as
follows (note that the configuration files are
case-sensitive, but keywords are case-insensitive):
AllowedAuthentications
This keyword specifies the authentications methods
that are allowed. This is a comma-separated list
currently consisting of the following words: pass
word, publickey and hostbased. Each specifies an
authentication method. The default is "pub
lickey,password". The authentication methods are
tried in the order in which they are specified with
this configuration parameter. That means that the
least interactive methods should be placed first in
this list, for example "hostbased, publickey,pass
word" (because publickey authentication can be
automated by the user, with ssh-agent).
AuthenticationSuccessMsg
Specifies whether to display "Authentication suc
cessful." after authentication has completed suc
cessfully. This is mainly to prevent malicious
servers from getting information from the user by
displaying additional pass{word,phrase} prompts.
The argument must be "yes" or "no". The default is
"yes".
AuthorizationFile
Specifies the name of the user's authorization
file.
BatchMode
If set to "yes", ssh2 disables password/passhphrase
querying. This is useful in scripts and other batch
jobs where you don't have a user to supply the
password. If the "StrictHostKeyChecking" parameter
is set to "ask", ssh2 assumes a "no" answer to
queries (this is because ssh doesn't even try to
get user input when invoked with "BatchMode yes").
The argument must be "yes" or "no".
Ciphers
Specifies the ciphers to use for encrypting the
session. Currently, des, 3des, blowfish, arcfour
twofish and cast are supported, of which des, 3des,
arcfour, blowfish and twofish are included in all
distributions. Multiple ciphers can be specified as
a comma-separated list. Special values to this
option are any, anystd, that allows only standard
(see below) ciphers, and anycipher that allows
either any available cipher or excludes non-
encrypting cipher mode none but allows all others.
anystdcipher is the same as above, but includes
only those ciphers mentioned in the IETF-SecSH-
draft (excluding 'none').
Compression
Specifies whether to use compression. The argument
must be "yes" or "no".
DefaultDomain
This option is only useful if set in the global
configuration file. This is used by ssh2 and ssh-
signer2 to find out the system name, if only the
base part of the system name is available by normal
means (those used by e.g. hostname(1)). This is
appended to the found system name, if the system
name returned doesn't contain a dot ('.').
DontReadStdin
Redirect input from /dev/null, ie. don't read
stdin. The argument must be "yes" or "no".
EscapeChar
Sets the escape character (default: ~). The escape
character can also be set on the command line. The
argument should be a single character, ´^´ followed
by a letter, or "none" to disable the escape char
acter entirely (making the connection transparent
for binary data).
ForcePTTYAllocation
For tty allocation. Ie. allocate a tty even if a
command is given. The argument must be "yes" or
"no". (not yet implemented)
ForwardAgent
Specifies whether the connection to the authentica
tion agent (if any) will be forwarded to the remote
machine. The argument must be "yes" or "no".
ForwardX11
Specifies whether X11 connections will be automati
cally redirected over the secure channel and DIS
PLAY set. The argument must be "yes" or "no".
GatewayPorts
Specifies that also remote hosts may connect to
locally forwarded ports. The argument must be "yes"
or "no". The default is "no".
GoBackground
Requests ssh2 to go to background after authentica
tion is done and the forwardings have been estab
lished. This is useful if ssh2 is going to ask for
passwords or passphrases, but the user wants it in
the background. The argument must be "yes", "no" or
"oneshot". With "oneshot", ssh2 behaves the same
way as with `-f o' commandline arguments. The
default is "no".
Host Specifies the real host name to log into. With
`expression' above, this can be used to specify
nicknames or abbreviations for hosts. The default
is the name given on the command line. Numeric IP
addresses are also permitted (both on the command
line and in HostName specifications).
IdentityFile
Specifies the name of the user's identification
file.
KeepAlive
Specifies whether the system should send keepalive
messages to the other side. If they are sent,
death of the connection or crash of one of the
machines will be properly noticed. However, this
means that connections will die if the route is
down temporarily, and some people find this annoy
ing.
The default is "yes" (to send keepalives), and the
client will notice if the network goes down or the
remote host dies. This is important when using
scripts, and many users want it too.
To disable keepalives, the value should be set to
"no" in both the server and the client configura
tion files.
LocalForward
Specifies that a TCP/IP port on the local machine
is forwarded over the secure channel to given
host:port from the remote machine. The argument
should be enclosed in double-quotes (""). The argu
ment format is port:remotehost:remoteport .
MACs Specifies the MAC (Message Authentication Code)
algorithm to use for data integrity verification.
Currently, hmac-sha1, hmac-sha1-96, hmac-md5, hmac-
md5-96, hmac-ripemd160 and hmac-ripemd160-96 are
supported, of which hmac-sha1, hmac-sha1-96, hmac-
md5 and hmac-md5-96 are included in all distribu
tions. Multiple MACs can be specified as a comma-
separated list. Special values to this option are
any, anystd, that allows only standard (see below)
MACs, and anymac that allows either any available
MAC or excludes none but allows all others. anyst
dmac is the same as above, but includes only those
MACs mentioned in the IETF-SecSH-draft (excluding
'none').
NoDelay
If "yes", enable socket option TCP_NODELAY. The
argument must be "yes" or "no". Default is "no".
PasswordPrompt
Sets the password prompt that the user sees when
connecting to a host. Variables '%U' and '%H' can
be used to give the user's login name and host,
respectively.
Port Specifies the port number to connect on the remote
host. The default port number is 22.
QuietMode
Quiet mode. Causes all warnings and diagnostic mes
sages to be suppressed. Only fatal errors are dis
played. The argument must be "yes" or "no".
RandomSeedFile
Specifies the name of the user's randomseed file.
RekeyIntervalSeconds
Specifies the number of seconds that the key
exchange is done again. The default is 3600 sec
onds. A value of '0' turns rekey-requests off. This
doesn't prevent the server from requesting rekeys.
Other servers may not have rekey-capabilities
implemented correctly, and your connection may be
cut off if you're connecting to a server other than
sshd2. (The server may also possibly crash, but
that is no fault of ssh2).
RemoteForward
Specifies that a TCP/IP port on the remote machine
be forwarded over the secure channel to given
host:port from the local machine. The argument
should be enclosed in double-quotes (""). The argu
ment format is port:remotehost:remoteport .
Ssh1AgentCompatibility
Specifies whether to forward also an SSH1 agent
connection. Legal values for this option are
"none", "traditional" and "ssh2". With value
"none" (default), the SSH1 agent connection is not
forwarded at all. With value "traditional", SSH1
agent connection is forwarded transparently like in
SSH1. Value "traditional" can always be used, but
it constitutes a security risk, because the agent
does not get the information about the forwarding
path. Value "ssh2" makes SSH1 agent forwarding
similar to SSH2 agent forwarding and with this mode
agent gets the information about the agent forward
ing path. Note that value "ssh2" can only be used,
if you use ssh-agent2 in SSH1 compatibility mode.
"yes" or "no".
Ssh1Compatibility
Specifies whether to use SSH1 compatibility code.
With this option, ssh1 is executed when the server
supports only SSH 1.x protocols. The argument must
be "yes" or "no".
Ssh1Path
Specifies the path to ssh1 client, which is exe
cuted if the server supports only SSH 1.x proto
cols. The arguments for ssh2 are passed to the ssh1
client.
SocksServer
Overrides the value of SSH_SOCKS_SERVER. Other
wise, functions completely equivalently.
StrictHostKeyChecking
If this flag is set to "yes", ssh2 will never auto
matically add host keys to the $HOME/.ssh2/hostkeys
directory, and refuses to connect hosts whose host
key has changed. This provides maximum protection
against Trojan horse attacks. However, it can be
somewhat annoying if you don't have the necessary
keys in /etc/ssh2/hostkeys and you frequently con
nect new hosts. Basically this option forces the
user to manually add any new hosts. Normally this
option is set to "ask", and new hosts will automat
ically be added to the known host files after you
have confirmed you really want to do that. If this
is set to "no" then the new host will automatically
be added to the known host files. The host keys of
known hosts will be verified automatically in
either case. If this value is set to "ask", the
user also has the option to change the key on the
disk on the fly.
The argument must be "yes", "no" or "ask".
User Specifies the user to log in as. This can be useful
if you have a different user name in different
machines. This saves the trouble of having to
remember to specify the user name on the command
line.
VerboseMode
Verbose mode. Causes ssh2 to print debugging mes
sages about its progress. This is helpful when
debugging connection, authentication, and configu
ration problems.
AUTHORS
SSH Communications Security Corp
For more information, see http://www.ssh.com.
SEE ALSO
ssh2(1)
SSH2 May 23, 2000 SSH2_CONFIG(5)