Client Configuration Keywords
You can configure the following settings in the client configuration file. (The global file is /etc/ssh2/ssh2_config; the user-specific file is $HOME/.ssh2/ssh2_config.) You can also configure these settings using the -o option on the ssh command line.
Specifies which address formats are supported by the client. The allowed values are `any' (allow the system to decide which address family to use), `inet' (accept only IPv4), and `inet6' (prefer IPv6 but accept IPv4). The default is 'inet'. You can also configure address family preference using the -4 and -6 command line options.
Specifies which authentication methods the client attempts, and the order in which they are tried. The supported methods are: `gssapi-keyex', `gssapi-with-mic', `publickey', `keyboard-interactive', and `password'. Use a comma-separated list to specify supported methods. The client attempts authentication methods in order from first to last. The authentication technique used for the connection is the one highest in the client order of preference that is also allowed by the server. If the server is configured to require more than one method, multiple authentication methods may be needed to establish a connection. To support automated scripts, the least interactive methods should be placed first in the list. The default is `gssapi-with-mic, publickey, keyboard-interactive, password'.
Specifies whether to display the following message when authentication has been completed successfully: "Authentication successful." The allowed values are `yes' and `no'. The default is `yes'.
Specifies whether to disable all queries for user input, including password and passphrase prompts, which is useful for scripts and batch jobs. If StrictHostKeyChecking is set to `ask' and BatchMode is set to `yes', the client assumes a "no" response to all queries about unknown host keys. The allowed values are `yes' and `no'. The default is `no'.
Specifies whether host IP address checking is performed using the host name and IP address encoded in the public key file name. When a user accepts a new host key, the key is added to the known hosts store using the format key_port_host,IP.pub. When CheckHostIP is enabled, host authentication fails if the actual IP of the specified host doesn't match the encoded IP address for that host. Enabling this setting helps detect DNS spoofing if the host key changes. The allowed values are `yes' and `no'. The default is `no'.
Note: Host keys added to the host key store using versions earlier than v. 7.0 do not include the host IP address. Disable CheckHostIP if you use keys with the older format.
Specifies one or more (comma-separated) encryption algorithms supported by the client. The cipher used for a given session is the cipher highest in the client's order of preference that is also supported by the server. Allowed values are `aes128-ctr', `aes128-cbc', `aes192-ctr', `aes192-cbc', `aes256-ctr', `aes256-cbc', `blowfish-cbc', `arcfour', `arcfour128', `arcfour256', `cast128-cbc', and `3des-cbc'.
You can also set this value to `none'. When `none' is the agreed on cipher, data is not encrypted. Note that this method provides no confidentiality protection, and is not recommended.
The following values are provided for convenience: `aes' (all supported aes ciphers), `blowfish' (equivalent to `blowfish-cbc'), `cast' (equivalent to `cast128-cbc'), `3des' (equivalent to `3des-cbc'), `Any' or `AnyStd' (all available ciphers plus `none'), and `AnyCipher' or `AnyStdCipher' (all available ciphers).
You can also specify encryption algorithms on the ssh command line using the -c option. The default is `AnyStdCipher'.
Clears any local, remote, or dynamically forwarded ports that have already been processed from either a configuration file or the command line. The allowed values are `yes' and `no'. The default is `no'. Note: scp and sftp clear all forwarded ports automatically regardless of the value of this setting.
Specifies whether the MD5 hash algorithm is supported for verifying the digital signature for RSA keys used in public key or X.509 certificate authentication. The allowed values are `yes' and `no'. When this keyword is set to `no' (the default), only signatures with SHA-1 hashes are accepted. When it is set to `yes' signatures with either SHA-1 or MD5 hashes are accepted.
Specifies whether compression is enabled. Compression is desirable on modem lines and other slow connections, but will slow down response rates on fast networks. Compression also adds extra randomness to the packet, making it harder for a malicious person to decrypt the packet. The allowed values are `yes' and `no'. The default is `no'. Compression can be disabled on the ssh command line using the -C option, but can only be enabled in the configuration file.
Specifies whether new ssh , scp , and sftp sessions can reuse an established connection. This feature allows you to start new sessions without having to reauthenticate. The allowed values are `yes' and `no'. The default is `no'. When set to `yes', a new session reuses an existing tunnel if the target host, port, and user are all identical to those used for the established connection. When set to `no', the client establishes a new connection for each session, which means that each new connection repeats the authentication process and also applies any modified connection-specific settings (such as forwards and ciphers).
Note: Connection reuse may fail if the server administrator has configured restricted directory access using ChrootSftpGroups or ChrootSftpUsers.
Specifies the maximum time (in seconds) that the client waits when trying to connect to the server. The default is set to 0 (zero), which means that the client sets no limit and the actual limit is determined by the operating system.
Specifies a default domain name. You can add this setting to your configuration file if you want to be able to enter a short host name on the command line, but send a fully qualified domain name to make the connection. If you have configured a value for DefaultDomain and you enter a host name that doesn't contain any "." (dot) characters, the DefaultDomain value is concatenated to the host name using a "." character. (Note: You can include an optional dot at the beginning of the DefaultDomain string; the first "." in this string is ignored.) Any alpha-numeric character is accepted as a value. For example, if DefaultDomain is set to either "acme.com" or ".acme.com", the command "ssh joe@myhost" is sent as "ssh email@example.com".
Redirects stdin from /dev/null, which prevents reading from stdin. You can also configure this on the ssh command line using the -n option. The allowed values are `yes' and `no'. The default is `no'.
Sets the escape character for the terminal session. The default character is a tilde (~). Setting the escape character to `none' means that no escape character is available and the tilde acts like any other character. For details, see ESCAPE SEQUENCES in the ssh man page. You can also set the escape character on the ssh command line using the -e option.
Specifies whether ssh terminates the connection if all requested dynamic, local, and remote port forwardings cannot be configured. The allowed values are `yes' and `no'. The default is `no'.
Specifies which file types use ASCII transfer during sftp sessions when auto mode transfer is enabled. All other files use binary transfer. Specify a comma or space-separated list. Wildcard (zsh-glob) characters are supported. Don't precede file extensions with a period. To specify extensions containing spaces, use quotation marks around the extension or use a backslash as an escape character. The default is `txt, htm*, pl, php*'. (You can use the setext during an sftp session to specify a different file list for that session. Use getext to display the current list.)
Note: This setting is only relevant when auto transfer is enabled. The transfer method is set to binary by default. To enable auto transfer, use the sftp command "auto". To display the current transfer mode, use "ascii -s".
Specifies whether all connections will be made using security protocols and algorithms that meet FIPS 140-2 standards. The allowed values are `yes' and `no'. The default is `no'.
Forces a tty allocation even if a command is specified. The allowed values are `yes' and `no'. The default is `no'. You can also configure this on the ssh command line using the -t option.
Specifies whether a connection to the authentication agent (if established) is forwarded to the remote machine. The allowed values are `yes' and `no'. The default is `yes'.
Enables X11 connection forwarding and treats X11 clients as untrusted. Untrusted remote X11 clients are prevented from tampering with data belonging to trusted X11 clients. The allowed values are `yes' and `no'. The default is `yes'. You can also configure this on the ssh command line using the -X option.
The gateway ports setting controls whether locally forwarded ports are available to remote applications. By default this setting is not enabled, and the client uses the loopback address ("localhost" or 127.0.0.1) when it opens a socket for local port forwarding. This prevents applications running on other computers from connecting to the forwarded port. When you enable gateway ports, a remote application client can open a socket using the Secure Shell client's Ethernet address (such as an IP address, a URL, or a DNS name). For example, a Secure Shell client running on acme.com might be configured to forward port 8088. When gateway ports are not enabled, the forwarded socket is localhost:8088. When gateway ports are enabled, the forwarded socket is acme.com:8088. The allowed values are `yes' and `no'. The default is `no'. You can also configure this on the ssh command line using the -g option.
Use this keyword when you have configured port forwarding and you want the Secure Shell session to run in the background. The allowed values are `yes', `no', and `oneshot'. The default is `no'. If at least one port forwarding rule is configured, both `yes' and `oneshot' send the session to the background after authentication is complete. When you specify `yes', the Secure Shell session remains in the background and continues to accept forward requests indefinitely until you manually kill the process. (This is equivalent to using -f on the ssh command line.) When you specify `oneshot', the background session waits for only one forwarded connection to occur and exits as soon as the forwarded connection is closed. (This is equivalent to using -fo on the ssh command line.)
Specifies whether to forward (delegate) GSSAPI credentials to the server. The allowed values are `yes' and `no'. The default is `yes'.
Specifies the actual host name or IP address to use for a connection. The default is an empty string. This keyword can be used in combination with a host stanza expression to create an alternate name for connecting to a host. When this keyword appears outside any stanza, it can be used to specify a default host for the connection.
This keyword is deprecated. It is a synonym for TrustAnchor.
This keyword is deprecated. It is a synonym for TrustAnchor. Note: Certificate revocation checking cannot be configured using the Reflection for Secure IT configuration file. Use Reflection PKI Services Manager to configure revocation checking.
Specifies whether server authentication using a certificate requires host name checking. When HostCertNameCheck is 'yes', authentication succeeds only if the host name or IP address specified for the connection is included in the allowed identity set for the certificate. (Use the PKI Services Manager map file to configure allowed identities.) When HostCertNameCheck is 'no', the client ignores the allowed identity set and accepts any valid certificate. When HostCertNameCheck is `ask' (the default), the user receives a prompt when the server name is not an allowed identity, and is asked whether or not to continue.
Specifies, in order of preference, the host key algorithms proposed by the client. This setting is useful when the server is configured for both certificate and standard host key authentication. Secure Shell protocol allows only one attempt to authenticate the host. If the host presents a certificate, and the client is not configured for host authentication using certificates, the connection fails. (This is different from user authentication in which multiple authentication attempts are supported.) The default is `x509v3-sign-rsa,x509v3-sign-dss,ssh-rsa,ssh-dss'.
Specifies an alias to use instead of the real host name when a host key is saved to the client's directory of known host keys. Host keys are stored using this naming format: key_port_host,IP.pub. The value you specify replaces the host portion of the stored host key name. This option is useful for tunneling Secure Shell connections, or when multiple servers are running on a single host.
Specifies an alternate identification file to use for public key authentication. The file location is assumed to be in the current working directory unless you specify a fully-qualified or relative path. The default identity file is $HOME/.ssh2/identification. For details, see the FILES section below. You can also configure this on the ssh command line using the -i option.
This keyword is deprecated. It is the equivalent of IdentificationFile.
Specifies whether the client sends TCP keep-alive messages to the server. This keyword is deprecated. Use ServerAliveInterval instead. The allowed values are `yes' and `no'. The default is `yes'.
Specifies which key exchange algorithms the client supports. Supported values are `diffie-hellman-group1-sha1' and `diffie-hellman-group14-sha1'. Multiple algorithms can be specified as a comma-separated list. The default value is `diffie-hellman-group14-sha1,diffie-hellman-group1-sha1'.
Use this setting if you use GSSAPI (Kerberos 5) authentication. It specifies the fully-qualified path to the Kerberos library called libgssapi_krb5.so
Use this keyword to forward connections from an arbitrary port on the client through the secure tunnel. The syntax for configuring this setting is:
When a Secure Shell connection is established, the Secure Shell client opens a socket on the Secure Shell client host using the designated local port (listening_port). (On client hosts with multiple interfaces, use listening_host to specify which interface.) Configure your application client (the one whose data you want to forward) to send data to the forwarded socket (rather than directly to the destination host and port). When that client establishes a connection, all data sent to the forwarded port is redirected through the secure tunnel to the Secure Shell server, which decrypts it and then directs it to the destination socket (host,hostport). Unless the gateway ports option is enabled, the forwarded local port is available only to clients running on the same computer as the Secure Shell client. The optional protocol can be tcp or ftp.
Note: If the final destination host and port are not on the Secure Shell server host, data is sent in the clear between the Secure Shell host and the application server host.
The following example uses local forwarding to secure e-mail communications between a mail client running on the same computer as the Secure Shell client and a mail server running on the same computer as the Secure Shell server. The local mail client is configured to send communications to local port 14300. Data received on port 14300 is forwarded through the secure tunnel to the server, where it is redirected to port 143.
In the following example, FTP communications sent from an FTP client (on the same computer as the Secure Shell client) are forwarded to an FTP server running on myhost.com. With this configuration, you would configure the FTP client to connect to localhost:2121.
You can also configure local forwarding on the ssh command line using the-L option.
Sets the verbosity level used for ssh messages logged to syslog. Allowed values are `fatal', `error', `quiet', `info', `verbose', `debug1' (`debug' and 1 are equivalent), `debug2' (2 is equivalent), `debug3' (3 is equivalent), and `trace' (`debug99' and 99 are equivalent). The syslog level associated with these values is CRIT for fatal, ERROR for error and quiet, INFO for info and verbose, and DEBUG for debug1, debug2, debug3, and trace. The default is `info'.
Specifies which MACs (message authentication codes) are supported by the client. Allowed values are `hmac-sha1', `hmac-sha1-96', `hmac-md5', `hmac-md5-96', `hmac-ripemd160', `hmac-sha256', and `hmac-sha512'. Use `AnyMac' to support all of these. Use `AnyStdMac' to support `hmac-sha1', `hmac-sha1-96', `hmac-md5', and `hmac-md5-96'. Additional options are `none', `any' (equivalent to AnyMac plus `none'), and `AnyStd' (equivalent to `AnyStdMac' plus `none'). Multiple MACs can also be specified as a comma-separated list. When `none' is the agreed on MAC, no message authentication code is used. Because this provides no data integrity protection, options that include `none' are not recommended.
You can also configure MACs on the ssh command line using the -m option. The default is `AnyStdMac'.
This option disables host authentication when the client connects to localhost. It is useful when the home directory is shared across computers. In this situation localhost will refer to a different host on each of the computers, and the client user will get many warnings about changed host keys. Setting this to `yes' disables authentication for localhost so the user won't see these warnings. The allowed values are `yes' and `no'. The default is `no'.
Specifies the number of password prompts to respond to before giving up. Note: The server can also set a maximum number of allowed password attempts. If you set NumberOfPasswordPrompts to a larger value than is configured by the server, the connection will fail when the server limit is reached. The default is 3.
Specifies the prompt to display for password authentication. Two variable options are supported: %r is replaced by the user name and %h is replaced by the host name. The default is "%r@%h's password:" (This setting has no effect on keyboard-interactive authentication.)
Specifies the port used to connect to PKI Services Manager. The default is localhost:18081.
Specifies the name and location of the public key used by to confirm the identity of Reflection PKI Services Manager. The default is /opt/attachmate/pkid/config/pki_key.pub.
Specifies the port to connect to on the server. The default is 22, which is the standard port for Secure Shell connections. You can also configure this on the ssh command line using the -p option.
Enables quiet mode, which causes all warning and diagnostic messages, including banners, to be suppressed. The allowed values are `yes' and `no'. The default is `no'. You can also configure this on the ssh command line using the -q option.
Specifies the number of seconds the client waits before initiating a negotiation for a new session key. The value must be an integer. The default is 3600. This key can be used in combination with RekeyLimit, in which case the client initiates a new key exchange whenever the first limit is reached.
Specifies the maximum amount of data that can be transmitted before the client initiates a negotiation for a new session key. The argument is the number of bytes, with an optional suffix of `K', `M', or `G' to indicate kilobytes, megabytes, or gigabytes, respectively. Set this value to 0 (zero) to use the default value. The default is between `1G' and `4G', depending on the cipher. This key can be used in combination with RekeyIntervalSeconds, in which case the client initiates a new key exchange whenever the first limit is reached.
Specifies which signals the client should relay to the server. RelaySignals accepts a comma-separated list of any of the following signals: ABRT, ALRM, FPE, HUP, ILL, INT, PIPE, QUIT, SEGV, TERM, USR1, USR2. The signals KILL and STOP cannot be caught, blocked, or ignored, so these signals are not supported. No signals are relayed by default.
Use this keyword to forward connections from an arbitrary port on the server through the secure tunnel. The syntax for configuring this setting is:
When the Secure Shell connection is established, the Secure Shell server opens a socket on its host (the computer running the Secure Shell server) using the designated remote port (listening_port). (On server hosts with multiple interfaces, use listening_host to specify which interface.) Configure your client application (the one whose data you want to forward) to send data to the forwarded socket (rather than directly to the destination host and port). When that client establishes a connection, all data sent to the forwarded port is redirected through the secure tunnel to the Secure Shell client, which decrypts it and then directs it to the destination socket (host,hostport). The optional protocol can be tcp or ftp.
In the following example, FTP communications sent from an FTP client (on the same computer as the Secure Shell server) are forwarded to an FTP server (on the same computer as the Secure Shell client). With this configuration, you would configure the FTP client to connect to port 3333.
You can also configure remote port forwarding on the ssh command line using the -R option.
Specifies whether the client sends NOOP messages through the Secure Shell channel to the server. Setting this to `yes' is equivalent to setting ServerAliveCountMax to 3 and ServerAliveInterval to 600. The allowed values are `yes' and `no'. The default is `no'.
Use this setting to close sessions to servers that have become unresponsive. It is relevant only when ServerAliveInterval is set to a non-zero value. ServerAliveCountMax sets the maximum number of server alive messages the client will send without receiving a return message from the server. When this threshold is reached, the client terminates the session. The default is 3. For example, if ServerAliveInterval is set to 600, and ServerAliveCountMax is 3, the client sends a message to the server every 10 minutes until it has sent 3 messages to the server without response. This means that the client will close an unresponsive connection after about 30 minutes.
Sets a time interval, in seconds, for sending NOOP messages to the server through the Secure Shell channel. The client sends a message to the server when no data has been received from the server during the specified interval. Setting this to a non-zero value can be used to inform the Secure Shell server and the TCP stack that the client is still alive, inform all networking hardware (such as routers and NATs) that the Secure Shell connection is still active, and detect network problems and application problems. Use this setting in conjunction with ServerAliveCountMax to terminate a connection to a server that has become unresponsive. The default is 0; which configures the client to send no messages.
Specifies an environment variable to set on the server before executing a shell or a command. The value should be in the form: VAR=val, where val can be empty. The argument is case-sensitive.
Note: Values set with this keyword are cumulative; you can set multiple variables by configuring this keyword multiple times in one or more configuration files.
This keyword determines how the client behaves when a host presents an unknown key for authentication. The possible values are:
`yes' - Connections succeed only when host keys have been manually copied to the user's host key directory ($HOME/.ssh2/hostkeys), or the system-wide host key directory (/etc/ssh2/hostkeys). The client does not add host keys to the user's computer. This is the most secure option.
`ask' - This is the default. The client displays a prompt asking if the user wants to accept a key from an unknown host. This prompt shows the host key fingerprint, which can be used to verify the host's identity. If the user answers `yes', the client adds the host key to the known host keys in the user's directory ($HOME/.ssh2/hostkeys) and uses this key to verify the host's identity in subsequent connections.
`no' - Unknown host keys are added automatically to the user's host key directory ($HOME/.ssh2/hostkeys) and used to verify the host's identity in subsequent connections. The user never knows when an unknown host key is presented.
Specifies file and directory permissions required for public key authentication. The allowed values are `yes' and `no'. The default is `yes'. When set to `yes', the user directory ($HOME/.ssh2/) and all parent directories must be writable and executable only by the user (mode 744 is accepted). Recommended permissions for the user directory = 700. The user identification file ($HOME/.ssh2/identification by default) must be configured for user-only read/write access (600 is recommended, 644 is accepted).
Note: Additional file permission restrictions are enforced for all private keys. Keys must be configured for user-only read access regardless of the current StrictModes setting. If access to the private key is not sufficiently restricted, public key authentication will always fail. Recommended permissions for private keys = 600.
This keyword is optional and is relevant only if you use certificates for server authentication. By default, Reflection PKI Services Manager validates certificates presented for authentication using all of the trust anchors you have configured. Use this keyword to limit which of the Reflection PKI Services Manager trust anchors can be used for certificate validation. You can specify either Subject DN (Distinguished Name) from a certificate available in the PKI Services Manager store, or use the file name of a certificate. Note that the specified trust anchors must be also be configured for Reflection PKI Services Manager (using the PKI Services Manager TrustAnchor keyword).
Specifies whether the X server treats forwarded X11 client applications as trusted. The allowed values are `yes' and `no'. The default is `no'. Set this to `yes' to give remote X11 clients full access to the X11 display. When this is set to `no', X11 applications are treated as untrusted. This avoids the risk created when a connection to a compromised host allows applications on that host to "sniff" input operations using the forwarded X11 connection.
Specifies the user name for the remote server. You can configure different user names for different hosts by defining this setting in host-specific stanzas. The default is the current value of the environment variable $USER.
Sets the debug level to verbose mode, which is equivalent to setting the debug level to 2. You can also configure this on the ssh command line using the -v option. The allowed values are `yes' and `no'. The default is `no'.
Specifies the location of the xauth(1) program. The default (for example /usr/X11R6/bin/xauth) is system-dependent.