Show Contents / Index / Search

Configuration File Keyword Reference - Secure Shell Settings

Use this reference if you manually edit your Secure Shell configuration file. The configuration file is organized into sections, each identified by a Host keyword. Each section specifies Secure Shell settings to be used for all connections made using the specified host or SSH configuration scheme.

The configuration file consists of keywords followed by values. Configuration options may be separated by white space or by optional white space and exactly one equal sign (=). Keywords are case-insensitive and arguments are case-sensitive.

Any line starting with a number sign (#) is a comment. Any empty line is ignored.

Note: Items in this list configure features which affect the Secure Shell connection. Additional keywords are available for configuring terminal emulation for ssh command line sessions. Reference information about these keywords is available in Configuration File Keyword Reference - Terminal Emulation Settings.

BatchMode

Specifies whether or not to disable all queries for user input, including password and passphrase prompts, which is useful for scripts and batch jobs. The allowed values are 'yes' and 'no'. The default is 'no'.

Note: This keyword does not disable queries for user input when keyboard interactive authentication is configured, but connections that use keyboard interactive will fail when BatchMode is enabled.

BindAddress

Specifies the interface to transmit from on computers with multiple interfaces or aliased addresses.

ChallengeResponseAuthentication

Specifies whether to use challenge response authentication. The argument must be 'yes' or 'no'. This authentication method is recommended if you are using SecurID, PAM authentication, or any other external authentication method that requires prompts from the server and responses from the user. The default is 'yes'. This applies to SSH protocol 1 only, which is supported, but not recommended. Use KbdInteractiveAuthentication for SSH protocol version 2.

CheckHostIP

If this flag is set to 'yes', the Reflection Secure Shell Client checks the host IP address in the known_hosts file in addition to checking the host public key. The connection is allowed only if the host IP in the known hosts lists matches the IP address you are using for the connection. The default is 'no'. Note: This setting has no effect if StrictHostKeyChecking = no.

CheckHostPort

If this flag is set to 'yes', the Reflection Secure Shell Client checks the host port in the known_hosts file in addition to checking the host public key. The connection is allowed only if the host port in the known hosts lists matches the port you are using for the connection. The default is 'no'. Note: This setting has no effect if StrictHostKeyChecking = no.

Cipher

Specifies the cipher to use for encrypting the session in protocol version 1. Currently, 'blowfish', '3des', and 'des' are supported. des is only supported by the Secure Shell client for interoperability with legacy protocol 1 implementations that do not support the 3des cipher. Its use is strongly discouraged due to cryptographic weaknesses. The default is '3des'.

Ciphers

Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. The default is 'aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour'. If the connection is set to run in FIPS mode, the default is 'aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-cbc'.

ClearAllForwardings

Clears any local, remote, or dynamically forwarded ports that have already been processed from either a configuration file or the command line. Note: scp and sftp clear all forwarded ports automatically regardless of the value of this setting. The allowed values are 'yes' and 'no'. The default is 'no'.

Compression

Specifies whether compression is enabled. Compression is desirable on modem lines and other slow connections, but will slow down response rates on fast networks. Compression also adds extra randomness to the packet, making it harder for a malicious person to decrypt the packet. The allowed values are 'yes' and 'no'. The default is 'no'.

CompressionLevel

Specifies the compression level to use if compression is enabled. This option applies to protocol version 1 only. The argument must be an integer from 1 (fast) to 9 (slow, best). The default level is 6, which is good for most applications. The meaning of the values is the same as in gzip.

ConnectionAttempts

Specifies the number of tries (one per second) to make before exiting. The argument must be an integer. This may be useful in scripts if the connection sometimes fails. The default is 1.

ConnectionReuse

Specifies whether multiple sessions to the same host reuse the original Secure Shell connection, and, therefore don't require re-authentication. The argument must be 'yes' or 'no'. When set to 'yes' new connections reuse the existing tunnel when the host name, user name, and SSH configuration scheme (if used) all match. When set to 'no', Reflection establishes a new connection for each session, which means that each new connection repeats the authentication process and also applies any modified connection-specific settings (such as forwards and ciphers). The default is 'yes' for connections made using the Reflection window to make your connections. It is 'no' if you are using the Reflection command line utilities to make your connections. For details, see Connection Reuse in Secure Shell Sessions.

DisableCRL

Specifies whether CRL (Certificate Revocation List) checking occurs when validating host certificates. Setting this to yes disables Certificate Revocation List checking. The default value of this setting is based on your current system setting for CRL checking. To view and edit the system setting, launch Internet Explorer, and go to Tools > Internet Options >Advanced. Under Security, look for "Check for server certificate revocation."

DynamicForward

Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. The argument must be a port number. Currently the SOCKS4 protocol is supported, and Reflection Secure Shell will act as a SOCKS4 server. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only a user with administrative privileges can forward privileged ports.

EscapeChar

Sets the escape character (default: '~'). The escape character can also be set on the command line. The argument must be a single character, '^' followed by a letter, or 'none' to disable the escape character entirely (making the connection transparent for binary data).

FipsMode

When this setting is 'yes' connections must be made using security protocols and algorithms that meet United States government's Federal Information Processing Standard (FIPS) 140-2. Options that don't meet these standards are not available on the Encryption tab.

Note: This setting affects the SSH configuration scheme specified by the Host keyword, and has no effect on subsequent Secure Shell sessions unless they are configured to use the same SSH configuration scheme (or host name).

ForwardAgent

Setting this to 'yes' enables forwarding of the Reflection Key Agent connection. Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's Unix-domain socket) can access the local agent through the forwarded connection. Attackers cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. This may need to be enabled on the server also. The default is 'no'.

ForwardX11

Specifies whether X11 connections are automatically redirected over the secure channel and DISPLAY set. The argument must be 'yes' or 'no'. The default is 'no'.

Note: If you configure Secure Shell using Reflection X, ForwardX11 is set to 'yes' automatically.

GatewayPorts

Specifies whether remote hosts are allowed to connect to local forwarded ports. By default, Reflection Secure Shell binds local port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that Reflection Secure Shell should bind local port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded ports. Be careful about enabling this setting. Using it can reduce the security of your network and connection because it can allow remote hosts to use the forwarded port on your system without authenticating. The argument must be 'yes' or 'no'. The default is 'no'.

GlobalKnownHostsFile

Specifies a file to use for the global host key database instead of the default file named ssh_known_hosts located in the Reflection application data folder.

Note: Enclose the filename in quotation marks if any part of the path or filename includes spaces.

GssapiAuthentication

Specifies whether GSSAPI authentication is used to authenticate to a Kerberos KDC. This setting is applicable only if the protocol being used is protocol version 2. (The equivalent setting for protocol version 1 is KerberosAuthentication.) The allowed values are 'yes' and 'no'. The default is 'no'.

GssapiDelegateCredentials

Specifies whether GSSAPI is used to forward your ticket granting ticket (krbtgt) to the host. This setting is applicable only if the protocol being used is protocol version 2. (The equivalent setting for protocol version 1 is KerberosTgtPassing.) The allowed values are 'yes' and 'no'. The default is 'yes'.

GssapiUseSSPI

Specifies whether Microsoft's Security Support Provider Interface (SSPI) is used for GSSAPI authentication. This setting is applicable only if Kerberos/GSSAPI authentication is enabled (using GssapiAuthentication for protocol version 2 and KerberosAuthentication for protocol version 1). The argument to this keyword must be 'yes' or 'no'. When set to 'no' the Reflection Secure Shell Client uses the Reflection Kerberos Client for GSSAPI authentication. When set to 'yes' the Reflection Secure Shell Client uses your Windows domain login credentials (SSPI) to authenticate to the Secure Shell server. SSPI is supported for protocol version 2 connections only, and the server must support the GSSAPI-with-mic authentication method. The default is 'yes'.

GssServicePrincipal

Specifies a non-default service principal name to use when the client sends a request for a service ticket to the Kerberos Key Distribution Center (KDC). If you have selected SSPI for your GSSAPI provider, you can use this setting to specify a service principal in a realm that is different from the Windows domain. Use a fully qualified host name followed by @ then the realm name, for example myhost.myrealm.com@MYREALM.COM. (By default the hostname value is the name of the Secure Shell server to which you are connecting and the realm depends upon the value of GssapiUseSSPI. When GSSapiUseSSPI is 'no' the realm name is specified in your default principal profile. When GSSapiUseSSPI is 'yes', the realm is your Windows domain name.)

Host

Identifies the declarations that follow (up to the next Host key word) as belonging to the specified SSH configuration scheme. The characters '*' and '?' can be used as wildcards. A single '*' as a pattern can be used to provide global defaults for all hosts. A Reflection connection will use the first occurrence of any matching Host string (including wildcard characters). Any subsequent matches will be ignored.

Note: When you close the Reflection Secure Shell Settings dialog box, values with default settings are not saved to the configuration file. If a default value has been manually added to the file, it is removed when you close the dialog box. This imposes design constraints if you use wildcard host stanzas in combination with stanzas that use specific host names. If you have manually configured a default value in a specific host stanza that is meant to override a value configured in a wildcard stanza, the default setting is removed when you open the Secure Shell settings dialog box to view settings for the host-specific SSH config scheme. You can successfully handle this situation by using the global configuration file, which is not updated when users open and close the Reflection Secure Shell Settings dialog box.

HostKeyAlgorithms

Specifies, in order of preference, the protocol version 2 host key algorithms that the client uses. The default for this option is: 'x509v3-sign-rsa,x509v3-sign-dss,ssh-rsa,ssh-dss". This setting is useful when the server is configured for both certificate and standard host key authentication. SSH protocol allows only one attempt to authenticate the host. If the host presents a certificate, and the client is not configured for host authentication using certificates, the connection will fail. (This is different from user authentication in which multiple authentication attempts are supported.)

HostKeyAlias

Specifies an alias to be used instead of the real host name for looking up or saving the host key in the host key database files. This option is useful for tunneling ssh connections or for multiple servers running on a single host.

IdentityFile

Specifies a private key to use for key authentication. Files are located in the user .ssh folder.) IdentityFile items are added when you select keys or certificates from the list in the User Keys tab of the Secure Shell settings dialog box. It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence.

Note: Enclose the full path name in quotation marks if it includes spaces.

KbdInteractiveAuthentication

Specifies whether to use keyboard interactive authentication. The allowed values are 'yes' and 'no'. The default is 'yes'. This authentication method is recommended if you are using SecurID, PAM authentication, or any other external authentication method that requires prompts from the server and responses from the user. It may also work better than the PasswordAuthentication method for password authentication on hosts where password expiration or first login password changing is enabled. It may also be required for password authentication when expired passwords need to be reset in order to successfully authenticate. This applies to SSH protocol 2 only. Use ChallengeResponseAuthentication for SSH protocol version 1.

KeepAlive

Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be detected. The default is 'yes' (to send keepalives), so that the client will detect that the network goes down or the remote host dies. This is important in scripts and helpful to users. However, this means that connections will die if the route is down temporarily, which some users find annoying. To disable keepalives, set the value to 'no'. This keyword enables the Windows TCP keep alive setting, which sends keep alive messages every two hours by default. TCP/IP keep alive is configurable using two optional pentameters that typically do not exist in the Windows registry: KeepAliveTime and KeepAliveInterval. These are configured in the HKEY_LOCAL_MACHINE registry subtree, in the following location:

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

For information about setting these parameters, refer to Microsoft Knowledge Base Article 120642.

KerberosAuthentication

Specifies whether Kerberos authentication is used for protocol version 1 connections. (The equivalent setting for protocol version 2 is GssapiAuthentication.) The argument to this keyword must be 'yes' or 'no'.

KerberosTgtPassing

Specifies whether a Kerberos TGT is forwarded to the server. This will work only if the Kerberos server is actually an AFS kaserver. This setting applies to protocol version 1 only. (The equivalent setting for protocol version 2 is GssapiDelegateCredentials.) The argument to this keyword must be 'yes' or 'no'.

KexAlgorithms

Specifies which key exchange algorithms the client supports, and the order of preference. The supported values are 'diffie-hellman-group1-sha1', 'diffie-hellman-group-exchange-sha1' and 'diffie-hellman-group14-sha1'. The default is 'diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'.

Note: If GSSAPI authentication using the Reflection Kerberos Client is enabled, then the following additional key exchange algorithms are automatically added to the list: gss-group1-sha1 and gss-gex-sha1.

LocalForward

Specifies that a TCP/IP port on the local machine be forwarded over the secure channel to the specified host and port on the remote machine. Multiple forwardings can be specified. Only users with administrator privileges can forward privileged ports. You can also configure optional arguments for forwarding FTP, configuring remote desktop, and automatically launching an executable file (*.exe) after the connection is made. The syntax for this keyword is:

LocalForward localport host:hostport [FTP=0|1] [RDP=0|1] ["ExecutableFile" [args]]

The options are:

 

localport

A local port number.

 

host:hostport

A remote host and a port on that host. (You can specify localhost to forward data to a different port on the same remote host to which you have already established a Secure Shell connection.) IPv6 addresses can be specified with an alternative syntax: host/port.

 

FTP

Set to 1 if you are tunneling FTP file transfer.

 

RDP

Set to 1 if you are tunneling a Remote Desktop session.

 

"ExecutableFile"

Specify an executable file (including complete path information, if required) to have Reflection launch an application immediately after the Secure Shell connection is established. To forward data through the secure tunnel, this application should be configured to make a connection to localhost (or the loopback IP address, 127.0.0.1) using the specified localport.

Logfile

Specifies a log file to use for debugging. All session input and output is written to this file. Use this keyword with the -o command-line utility option as shown here:

-o Logfile=\path\logfile_name

Note: Enclose the path filename in quotation marks if any part of the path or filename includes spaces.

LogLevel

Specifies the verbosity level that is used when logging messages from the Reflection Secure Shell Client. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of verbose output.

Macs

Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. The default is: 'hmac-sha1,hmac-sha256,hmac-sha512,hmac-md5,hmac-ripemd160,hmac-sha1-96,hmac-md5-96'. If the connection is set to run in FIPS mode, the default is "hmac-sha1,hmac-sha256,hmac-sha512".

MatchHostName

Specifies whether host name matching is required when validating host certificates. When this setting is 'yes' (the default), the host name you configure in Reflection must exactly match a host name entered in either the CommonName or the SubjectAltName fields of the certificate.

Multihop

Configures multi-hop connections, which can be used to establish secure connections through a series of SSH servers. This is useful if your network configuration doesn't allow direct access to a remote server, but does allow access via intermediate servers.

The syntax for this keyword is:

Multihop localport host:hostport

Add a new Multihop line for each server in the series. Each connection on the list is sent through the tunnel established by the connection above it.

In the example below, SSH connections configured to ServerC will connect first to ServerA, then to ServerB, and finally to the ServerC.

Host ServerC

Multihop 2022 ServerA:22

Multihop 3022 ServerB:22

NoShell

When NoShell is set to "Yes", the client creates a tunnel without opening a terminal session. This option can be used in combination with ConnectionReuse to create a tunnel that can be reused by other ssh connections. Note: This option affects connections made with the command line utility; it is not intended for use with the Reflection user interface.

NumberOfPasswordPrompts

Specifies the number of password prompts before giving up. The argument to this keyword must be an integer. The default is 3.

PasswordAuthentication

Specifies whether to use password authentication. The allowed values are 'yes' and 'no'. The default is 'yes'.

Port

Specifies the port number to connect on the remote host. The default is 22.

PreferredAuthentications

Specifies the order in which the client should try protocol 2 authentication methods. This corresponds to the order (top to bottom) in which the methods are displayed in the User Authentication list on the General tab of the Reflection Secure Shell Settings dialog box. This setting enables the client to prefer one method (such as keyboard-interactive) over another method (such as password). By default, Reflection attempts authentication in the following order: 'publickey,keyboard-interactive,password'. If GSSAPI authentication is enabled, the default changes to: 'gssapi-with-mic,external-keyex,gssapi,publickey,keyboard-interactive,password'.

Notes:

  • If you include PreferredAuthentications in your config file, the list you specify must include every authentication method you want to try. If PreferredAuthentications is present, but does not specify a particular authentication method, Reflection will not use that authentication method, even if the keyword for enabling that authentication method is correctly configured.
  • Including an authentication method in the PreferredAuthentications list does not enable authentication using that method. To enable an authentication method that is not used by default, the keyword for that authentication method must also be correctly configured (for example, to enable GSSAPI authentication, you must set GssapiAuthentication to yes.)

Protocol

Specifies the protocol versions the Reflection Secure Shell Client should support in order of preference. The possible values are '1' and '2'. Multiple values must be comma-separated. The default is '2,1', which means that Reflection tries version 2 and falls back to version 1 if version 2 is not available.

Proxy

Specifies a proxy type to use for Secure Shell connections. Supported values are "SOCKS" and "HTTP".

Note: Proxy use is enabled for each Host section in the configuration file using this setting. The proxy server address is stored in the Windows registry on a per-user basis.

PubkeyAuthentication

Specifies whether to try public key authentication. This option applies to protocol version 2 only. The allowed values are 'yes' and 'no'. The default is 'yes'.

RemoteCommand

Specifies one or more commands to run on the remote server. Use a semicolon (;) to separate multiple commands. After a connection is established the server executes (or attempts to execute) the specified command(s), and then the session terminates. The server must be configured to allow commands received from the client to run.

RemoteForward

Specifies that a TCP/IP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. The first argument must be a port number, and the second must be host:port. IPv6 addresses can be specified with an alternative syntax: host/port. Multiple forwardings may be specified. Only the users with administrator privileges can forward privileged ports.

RSAAuthentication

Specifies whether to try RSA authentication. This option applies to protocol version 1 only. RSA authentication will only be attempted if the identity file exists. The allowed values are 'yes' and 'no'. The default is 'yes'.

SendEnv

Specifies an environment variable to set on the server before executing a shell or a command. The value should be of form: VAR val. The server must support the specified variable, and must be configured to accept these environment variables.

ServerAlive

Specifies whether to send server alive messages to the SSH server at the interval specified by ServerAliveInterval. The Secure Shell ServerAlive setting sends an SSH protocol message to the server at the specified interval to ensure that the server is still functioning. If this is setting is not enabled, the SSH connection will not terminate if the server dies or the network connection is lost. This setting can also be used to keep connections that only forward TCP sessions from being timed out by the server, as the server may timeout these connections because it detects no SSH traffic. The allowed values are 'yes' and 'no'. The default is 'no'.

Note: The Secure Shell ServerAlive setting is not related to the TCP keep alive setting (KeepAlive) that can be set in the Windows registry to keep all TCP/IP connections from being timed out by a firewall. To change the TCP/IP keep alive behavior, you need to edit the Windows registry.

ServerAliveInterval

Specifies the interval (in seconds) to use when ServerAlive = 'yes'. Use an integer value of one or greater. The default is 30.

SftpBufferLen

Specifies the number of bytes requested in each packet during SFTP transfers. The default is 32768. Adjusting this value can improve transfer speed. The optimum value depends on your network and server setup. Changing this value may also affect how quickly you can cancel a transfer.

SftpMaxRequests

Specifies the maximum number of outstanding data requests that the client will allow during SFTP transfers. The default is 10. Adjusting this value can improve transfer speed. The optimum value depends on your network and server setup. Changing this value may also affect how quickly you can cancel a transfer.

StrictHostKeyChecking

The argument must be 'yes', 'no' or 'ask'. The default is 'ask'. If this option is set to 'yes', the Reflection Secure Shell Client never automatically adds host keys to the known_hosts file (located in the user .ssh folder), and refuses to connect to hosts whose host key has changed. This option forces the user to manually add all new hosts. If this flag is set to 'no', Reflection connects to the host without displaying a confirmation dialog box, and does not add the host key to the list of trusted keys. If this flag is set to 'ask', new host keys are added to the user known host files only after the user has confirmed that is what they want. The host keys of known hosts are verified automatically in all cases.

Note: This setting has no effect when the host has been configured to authenticate using x509 certificates. If a host presents a certificate for host authentication and you do not have the required CA certificate configured as a trust anchor, the connection will fail.

TryEmptyPassword

If this flag is set to 'yes' , the client starts the password authentication by trying to enter an empty password. Note that this will count as a login attempt on most systems.

User

Specifies the user to log in as. This can be useful when a different user name is used on different machines.

UseOCSP

Specifies whether the client uses OCSP (Online Certificate Status Protocol) to validate host certificates. The allowed values are 'yes' and 'no'. The default is 'no'.

UserKnownHostsFile

Specifies a file to use for the user host key database instead of the known_hosts file (located in the user .ssh folder). Use quotation marks if the file or path includes spaces.

x509dsasigtype

Specifies the hash algorithm the client uses in the process of proving possession of DSA private keys. Possible values are 'sha1raw' (the default) and 'sha1asn1'.

x509rsasigtype

Specifies the hash algorithm the client uses in the process of proving possession of RSA private keys. Possible values are 'md5' and 'sha1' (the default).

Related Topics

Configuration File Keyword Reference - Terminal Emulation Settings