Configuration File Keyword Reference - Secure Shell Settings
Use this reference if you manually edit your Secure Shell configuration file. The configuration file is organized into sections, each identified by a Host keyword. Each section specifies Secure Shell settings to be used for all connections made using the specified host or SSH configuration scheme.
The configuration file consists of keywords followed by values. Configuration options may be separated by white space or by optional white space and exactly one equal sign (=). Keywords are case-insensitive and arguments are case-sensitive.
Any line starting with a number sign (#) is a comment. Any empty line is ignored.
Note: Items in this list configure features which affect the Secure Shell connection. Additional keywords are available for configuring terminal emulation for ssh command line sessions. Reference information about these keywords is available in Configuration File Keyword Reference - Terminal Emulation Settings.
Specifies whether or not to disable all queries for user input, including password and passphrase prompts, which is useful for scripts and batch jobs. The allowed values are 'yes' and 'no'. The default is 'no'.
Note: This keyword does not disable queries for user input when keyboard interactive authentication is configured, but connections that use keyboard interactive will fail when BatchMode is enabled.
Specifies the interface to transmit from on computers with multiple interfaces or aliased addresses.
Specifies whether to use challenge response authentication. The argument must be 'yes' or 'no'. This authentication method is recommended if you are using SecurID, PAM authentication, or any other external authentication method that requires prompts from the server and responses from the user. The default is 'yes'. This applies to SSH protocol 1 only, which is supported, but not recommended. Use KbdInteractiveAuthentication for SSH protocol version 2.
If this flag is set to 'yes', the Reflection Secure Shell Client additionally checks the host IP address in the known_hosts file. This allows Reflection to detect whether a host key changed due to DNS spoofing. If the option is set to 'no', the check is not executed. The default is 'no'.
Specifies the cipher to use for encrypting the session in protocol version 1. Currently, 'blowfish', '3des', and 'des' are supported. des is only supported by the Secure Shell client for interoperability with legacy protocol 1 implementations that do not support the 3des cipher. Its use is strongly discouraged due to cryptographic weaknesses. The default is '3des'.
Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. The default is 'aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc'.
Clears any local, remote, or dynamically forwarded ports that have already been processed from either a configuration file or the command line. Note: scp and sftp clear all forwarded ports automatically regardless of the value of this setting. The allowed values are 'yes' and 'no'. The default is 'no'.
Specifies whether compression is enabled. Compression is desirable on modem lines and other slow connections, but will slow down response rates on fast networks. Compression also adds extra randomness to the packet, making it harder for a malicious person to decrypt the packet. The allowed values are 'yes' and 'no'. The default is 'no'.
Specifies the compression level to use if compression is enabled. This option applies to protocol version 1 only. The argument must be an integer from 1 (fast) to 9 (slow, best). The default level is 6, which is good for most applications. The meaning of the values is the same as in gzip.
Specifies the number of tries (one per second) to make before exiting. The argument must be an integer. This may be useful in scripts if the connection sometimes fails. The default is 1.
Specifies whether multiple sessions to the same host reuse the original Secure Shell connection, and, therefore don't require re-authentication. The argument must be 'yes' or 'no'. When set to 'yes' new connections reuse the existing tunnel when the host name, user name, and SSH configuration scheme (if used) all match. When set to 'no', Reflection establishes a new connection for each session, which means that each new connection repeats the authentication process and also applies any modified connection-specific settings (such as forwards and ciphers). The default is 'yes' for connections made using the Reflection window to make your connections. It is 'no' if you are using the Reflection command line utilities to make your connections. For details, see Connection Reuse in Secure Shell Sessions.
Specifies whether CRL (Certificate Revocation List) checking occurs when validating host certificates. Setting this to yes disables Certificate Revocation List checking. The default value of this setting is based on your current system setting for CRL checking. To view and edit the system setting, launch Internet Explorer, and go to Tools > Internet Options >Advanced. Under Security, look for "Check for server certificate revocation."
Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. The argument must be a port number. Currently the SOCKS4 protocol is supported, and Reflection Secure Shell will act as a SOCKS4 server. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only a user with administrative privileges can forward privileged ports.
Sets the escape character (default: '~'). The escape character can also be set on the command line. The argument must be a single character, '^' followed by a letter, or 'none' to disable the escape character entirely (making the connection transparent for binary data).
When this setting is 'yes' connections must be made using security protocols and algorithms that meet United States government's Federal Information Processing Standard (FIPS) 140-2. Options that don't meet these standards are not available on the Encryption tab.
Note: This setting affects the SSH configuration scheme specified by the Host keyword, and has no effect on subsequent Secure Shell sessions unless they are configured to use the same SSH configuration scheme (or host name).
Setting this to 'yes' enables forwarding of the Reflection Key Agent connection. Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's Unix-domain socket) can access the local agent through the forwarded connection. Attackers cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. This may need to be enabled on the server also. The default is 'no'.
Specifies whether X11 connections are automatically redirected over the secure channel and DISPLAY set. The argument must be 'yes' or 'no'. The default is 'no'.
Note: If you configure Secure Shell using Reflection X, ForwardX11 is set to 'yes' automatically.
Specifies whether remote hosts are allowed to connect to local forwarded ports. By default, Reflection Secure Shell binds local port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that Reflection Secure Shell should bind local port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded ports. Be careful about enabling this setting. Using it can reduce the security of your network and connection because it can allow remote hosts to use the forwarded port on your system without authenticating. The argument must be 'yes' or 'no'. The default is 'no'.
Specifies a file to use for the global host key database instead of the default file named ssh_known_hosts located in the Reflection application data folder.
Note: Enclose the filename in quotation marks if any part of the path or filename includes spaces.
Specifies whether GSSAPI authentication is used to authenticate to a Kerberos KDC. This setting is applicable only if the protocol being used is protocol version 2. (The equivalent setting for protocol version 1 is KerberosAuthentication.) The allowed values are 'yes' and 'no'. The default is 'no'.
Specifies whether GSSAPI is used to forward your ticket granting ticket (krbtgt) to the host. This setting is applicable only if the protocol being used is protocol version 2. (The equivalent setting for protocol version 1 is KerberosTgtPassing.) The allowed values are 'yes' and 'no'. The default is 'yes'.
Specifies whether Microsoft's Security Support Provider Interface (SSPI) is used for GSSAPI authentication. This setting is applicable only if Kerberos/GSSAPI authentication is enabled (using GssapiAuthentication for protocol version 2 and KerberosAuthentication for protocol version 1). The argument to this keyword must be 'yes' or 'no'. When set to 'no' the Reflection Secure Shell Client uses the Reflection Kerberos Client for GSSAPI authentication. When set to 'yes' the Reflection Secure Shell Client uses your Windows domain login credentials (SSPI) to authenticate to the Secure Shell server. SSPI is supported for protocol version 2 connections only, and the server must support the GSSAPI-with-mic authentication method. The default is 'yes'.
Specifies a non-default service principal name to use when the client sends a request for a service ticket to the Kerberos Key Distribution Center (KDC). If you have selected SSPI for your GSSAPI provider, you can use this setting to specify a service principal in a realm that is different from the Windows domain. Use a fully qualified host name followed by @ then the realm name, for example myhost.myrealm.com@MYREALM.COM. (By default the hostname value is the name of the Secure Shell server to which you are connecting and the realm depends upon the value of GssapiUseSSPI. When GSSapiUseSSPI is 'no' the realm name is specified in your default principal profile. When GSSapiUseSSPI is 'yes', the realm is your Windows domain name.)
Identifies the declarations that follow (up to the next Host key word) as belonging to the specified SSH configuration scheme. The characters '*' and '?' can be used as wildcards. A single '*' as a pattern can be used to provide global defaults for all hosts. A Reflection connection will use the first occurrence of any matching Host string (including wildcard characters). Any subsequent matches will be ignored.
Specifies, in order of preference, the protocol version 2 host key algorithms that the client uses. The default for this option is: 'x509v3-sign-rsa,x509v3-sign-dss,ssh-rsa,ssh-dss". This setting is useful when the server is configured for both certificate and standard host key authentication. SSH protocol allows only one attempt to authenticate the host. If the host presents a certificate, and the client is not configured for host authentication using certificates, the connection will fail. (This is different from user authentication in which multiple authentication attempts are supported.)
Specifies an alias to be used instead of the real host name for looking up or saving the host key in the host key database files. This option is useful for tunneling ssh connections or for multiple servers running on a single host.
Specifies a private key to use for key authentication. Files are located in the user .ssh folder.) IdentityFile items are added when you select keys or certificates from the list in the User Keys tab of the Secure Shell settings dialog box. It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence.
Note: Enclose the full path name in quotation marks if it includes spaces.
Specifies whether to use keyboard interactive authentication. The allowed values are 'yes' and 'no'. The default is 'yes'. This authentication method is recommended if you are using SecurID, PAM authentication, or any other external authentication method that requires prompts from the server and responses from the user. It may also work better than the PasswordAuthentication method for password authentication on hosts where password expiration or first login password changing is enabled. It may also be required for password authentication when expired passwords need to be reset in order to successfully authenticate. This applies to SSH protocol 2 only. Use ChallengeResponseAuthentication for SSH protocol version 1.
Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be detected. The default is 'yes' (to send keepalives), so that the client will detect that the network goes down or the remote host dies. This is important in scripts and helpful to users. However, this means that connections will die if the route is down temporarily, which some users find annoying. To disable keepalives, set the value to 'no'. This keyword enables the Windows TCP keep alive setting, which sends keep alive messages every two hours by default. TCP/IP keep alive is configurable using two optional pentameters that typically do not exist in the Windows registry: KeepAliveTime and KeepAliveInterval. These are configured in the HKEY_LOCAL_MACHINE registry subtree, in the following location:
For information about setting these parameters, refer to Microsoft Knowledge Base Article 120642.
Specifies whether Kerberos authentication is used for protocol version 1 connections. (The equivalent setting for protocol version 2 is GssapiAuthentication.) The argument to this keyword must be 'yes' or 'no'.
Specifies whether a Kerberos TGT is forwarded to the server. This will work only if the Kerberos server is actually an AFS kaserver. This setting applies to protocol version 1 only. (The equivalent setting for protocol version 2 is GssapiDelegateCredentials.) The argument to this keyword must be 'yes' or 'no'.
Specifies which key exchange algorithms the client supports, and the order of preference. The supported values are 'diffie-hellman-group1-sha1' and 'diffie-hellman-group-exchange-sha1'. The default is 'diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1'.
Note: If GSSAPI authentication using the Reflection Kerberos Client is enabled, then the following additional key exchange algorithms are automatically added to the list: gss-group1-sha1 and gss-gex-sha1.
Specifies that a TCP/IP port on the local machine be forwarded over the secure channel to the specified host and port on the remote machine. Multiple forwardings can be specified. Only users with administrator privileges can forward privileged ports. You can also configure optional arguments for forwarding FTP, configuring remote desktop, and automatically launching an executable file (*.exe) after the connection is made. The syntax for this keyword is:
LocalForward localport host:hostport [FTP=0|1] [RDP=0|1] ["ExecutableFile" [args]]
The options are:
Specifies a log file to use for debugging. All session input and output is written to this file. Use this keyword with the -o command-line utility option as shown here:
Note: Enclose the path filename in quotation marks if any part of the path or filename includes spaces.
Specifies the verbosity level that is used when logging messages from the Reflection Secure Shell Client. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of verbose output.
Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. When no Macs preference is specified, Reflection attempts to use the following algorithms in this order: 'hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,none'.
Specifies whether host name matching is required when validating host certificates. When this setting is 'yes' (the default), the host name you configure in Reflection must exactly match a host name entered in either the CommonName or the SubjectAltName fields of the certificate.
Configures multi-hop connections, which can be used to establish secure connections through a series of SSH servers. This is useful if your network configuration doesn't allow direct access to a remote server, but does allow access via intermediate servers.
The syntax for this keyword is:
Multihop localport host:hostport
Add a new Multihop line for each server in the series. Each connection on the list is sent through the tunnel established by the connection above it.
In the example below, SSH connections configured to ServerC will connect first to ServerA, then to ServerB, and finally to the ServerC.
Multihop 2022 ServerA:22
Multihop 3022 ServerB:22
When NoShell is set to "Yes", the client creates a tunnel without opening a terminal session. This option can be used in combination with ConnectionReuse to create a tunnel that can be reused by other ssh connections.
Specifies the number of password prompts before giving up. The argument to this keyword must be an integer. The default is 3.
Specifies whether to use password authentication. The allowed values are 'yes' and 'no'. The default is 'yes'.
Specifies the port number to connect on the remote host. The default is 22.
Specifies the order in which the client should try protocol 2 authentication methods. This corresponds to the order (top to bottom) in which the methods are displayed in the User Authentication list on the General tab of the Secure Shell settings dialog box. This setting enables the client to prefer one method (such as keyboard-interactive) over another method (such as password). By default, Reflection attempts authentication in the following order: 'publickey,keyboardinteractive,password'. If GSSAPI authentication is enabled, the default changes to: 'gssapi-with-mic,external-keyex,gssapi,publickey,keyboardinteractive,password'.
Specifies the protocol versions the Reflection Secure Shell Client should support in order of preference. The possible values are '1' and '2'. Multiple values must be comma-separated. The default is '2,1', which means that Reflection tries version 2 and falls back to version 1 if version 2 is not available.
Specifies a proxy type to use for Secure Shell connections. Currently 'SOCKS' is the only supported value.
Note: SOCKS is enabled for each Host section using this setting in the configuration file. The SOCKS proxy server address is configured using Reflection and is stored in the Windows registry on a per-user basis.
Specifies whether to try public key authentication. This option applies to protocol version 2 only. The allowed values are 'yes' and 'no'. The default is 'yes'.
Specifies one or more commands to run on the remote server. Use a semicolon (;) to separate multiple commands. After a connection is established the server executes (or attempts to execute) the specified command(s), and then the session terminates. The server must be configured to allow commands received from the client to run.
Specifies that a TCP/IP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. The first argument must be a port number, and the second must be host:port. IPv6 addresses can be specified with an alternative syntax: host/port. Multiple forwardings may be specified. Only the users with administrator privileges can forward privileged ports.
Specifies whether to try RSA authentication. This option applies to protocol version 1 only. RSA authentication will only be attempted if the identity file exists. The allowed values are 'yes' and 'no'. The default is 'yes'.
Specifies an environment variable to set on the server before executing a shell or a command. The value should be of form: VAR val. The server must support the specified variable, and must be configured to accept these environment variables.
Specifies whether to send server alive messages to the SSH server at the interval specified by ServerAliveInterval. The Secure Shell ServerAlive setting sends an SSH protocol message to the server at the specified interval to ensure that the server is still functioning. If this is setting is not enabled, the SSH connection will not terminate if the server dies or the network connection is lost. This setting can also be used to keep connections that only forward TCP sessions from being timed out by the server, as the server may timeout these connections because it detects no SSH traffic. The allowed values are 'yes' and 'no'. The default is 'no'.
Note: The Secure Shell ServerAlive setting is not related to the TCP keep alive setting (KeepAlive) that can be set in the Windows registry to keep all TCP/IP connections from being timed out by a firewall. To change the TCP/IP keep alive behavior, you need to edit the Windows registry.
Specifies the interval (in seconds) to use when ServerAlive = 'yes'. Use an integer value of one or greater. The default is 30.
Specifies the number of bytes requested in each packet during SFTP transfers. The default is 32768. Adjusting this value can improve transfer speed. The optimum value depends on your network and server setup. Changing this value may also affect how quickly you can cancel a transfer.
Specifies the maximum number of outstanding data requests that the client will allow during SFTP transfers. The default is 10. Adjusting this value can improve transfer speed. The optimum value depends on your network and server setup. Changing this value may also affect how quickly you can cancel a transfer.
The argument must be 'yes', 'no' or 'ask'. The default is 'ask'. If this option is set to 'yes', the Reflection Secure Shell Client never automatically adds host keys to the known_hosts file (located in the user .ssh folder), and refuses to connect to hosts whose host key has changed. This option forces the user to manually add all new hosts. If this flag is set to 'no', Reflection connects to the host without displaying a confirmation dialog box, and does not add the host key to the list of trusted keys. If this flag is set to 'ask', new host keys are added to the user known host files only after the user has confirmed that is what they want. The host keys of known hosts are verified automatically in all cases.
Note: This setting has no effect when the host has been configured to authenticate using x509 certificates. If a host presents a certificate for host authentication and you do not have the required CA certificate in your Trusted Root store, the connection will fail.
If this flag is set to 'yes' , the client starts the password authentication by trying to enter an empty password. Note that this will count as a login attempt on most systems.
Specifies the user to log in as. This can be useful when a different user name is used on different machines.
Specifies whether the client uses OCSP (Online Certificate Status Protocol) to validate host certificates. The allowed values are 'yes' and 'no'. The default is 'no'.
Specifies a file to use for the user host key database instead of the known_hosts file (located in the user .ssh folder). Use quotation marks if the file or path includes spaces.
Specifies the hash algorithm the client uses in the process of proving possession of DSA private keys. Possible values are 'sha1raw' (the default) and 'sha1asn1'.
Specifies the hash algorithm the client uses in the process of proving possession of RSA private keys. Possible values are 'md5' (the default) and 'sha1'.