ssh2_config - Configuration file for the Secure Shell
The configuration file for the Secure Shell client reads
configuration data from the following sources, in this
order: the system's global configuration file
(/etc/ssh2/ssh2_config) the user's configuration file
($HOME/.ssh2/ssh2_config) the command-line options
For each keyword, the last obtained value will be effective.
A configuration file can begin with metaconfiguration
information (i.e., information about the configuration
If the configuration file starts with a line matching the
following egrep style regex #.*VERSION[
it is interpreted as the version of the configuration
style. If this line is not found, the version is 1.0.
The version string can be followed by one or more metaconfiguration
parameters. The lines have to start with the
pound (#) sign, and they have to match the following egrep
style regex: #[# \t]+[A-Z0-9]+[ \t]+.*
Parsing of metaconfiguration directives stops with the
first non-recognized line.
Version 1.1 and later recognize the following parameter:
Denotes the regex syntax used to parse the configuration
file. The value can be egrep, ssh, zsh_fileglob or traditional.
The zsh_fileglob and traditional arguments are
synonymous. The arguments are not case-sensitive.
In the ssh2_config file, expression denotes the start of a
per-host configuration block, where expression is an
arbitrary string which distinguishes this block from others.
The expression can contain wildcards, and will be
compared with the hostname obtained from the command line.
If it matches, the block will be evaluated. Evaluation
stops at the next expression statement. If more than one
match is found, all will be evaluated and the last
obtained values for parameters will be effective. The
expression does not have to be a real hostname, as long as
the expression block contains a Host configuration parameter
that defines the real hostname.
Empty lines and lines starting with the pound (#) sign are
ignored as comments.
Otherwise a line is of the format keyword arguments.
It is possible to enclose arguments in quotes, and use the
standard C convention. Configuration files are case sensitive,
but keywords are not case sensitive. Illegal keywords
will prevent Secure Shell clients from starting successfully.
Following are the ssh2_config file keywords: Specifies the
authentication methods that the client uses. Supported
authentication methods are keyboard-interactive, password,
publickey, email@example.com, firstname.lastname@example.org, and
hostbased. The default is publickey, keyboard-interactive,
You can specify any or all authentication methods.
Use a comma-separated list when specifying more
than one argument. The order in which authentication
methods are listed is the order in which they
are used. The least interactive methods should be
placed first in this list. The first successful
authentication is the one used. Specifies whether
to display the Authentication successful message
after authentication has completed successfully.
This is intended to prevent malicious servers from
getting information from the user by displaying
additional password or passphrase prompts. The
argument must be yes or no. The default is yes.
Specifies whether password or passphrase querying
is disabled. This keyword is useful in scripts and
other batch jobs where you don't have a user to
supply the password. If the StrictHostKeyChecking
keyword is set to ask, the client assumes a no
answer because user input is not accepted when
invoked with BatchMode yes. The argument must be
yes or no. The default is no. Specifies the
ciphers to use for encrypting the session. Supported
ciphers are aes, blowfish, twofish, arcfour,
cast, des, and 3des. Arguments for this keyword are
any and anystd, that allow only standard ciphers
and none, and anycipher that allows any available
cipher or excludes non-encrypting cipher mode none
but allows all others. The AnyStdCipher argument
is the same as the AnyCipher argument, but includes
only those ciphers mentioned in the IETF-SecSHdraft
(excluding none). The AnyStdCipher argument
is the default. Specifies whether to clear all
defined remote and local forwarded ports. The argument
must be yes or no. The scp command always
automatically clears all forwarded ports. Specifies
whether to use compression. The argument must
be yes or no. Writes debug messages to specified
file. (Remember to enable debugging.) Determines
the system name if only the base part of the system
name is available by normal means (for example,
those used by the hostname command). The results
are appended to the found system name, if the system
name returned does not contain a dot ( . ).
This keyword is only useful if set in the global
configuration file. Specifies whether to redirects
input from /dev/null. The argument must be yes or
no. The default is no. Specifies the initialization
string for the external key provider for
accessing external keys for user authentication.
See ssh-externalkeys(4) for more information. This
feature is only available when external key support
is included in the software. Specifies the external
key provider for accessing external keys for
user authentication. See ssh-externalkeys(4) for
more information. This feature is only available
when external key support is included in the software.
Specifies whether or not to configure the
suite of r* commands (rsh, rlogin, and rcp commands
and applications that use the rcmd function) to
automatically use a Secure Shell connection.
The argument must be yes or no. The default is no
in the /etc/ssh2/ssh2_config file and yes in the
$HOME/.ssh2/ssh2_config file of the root account.
For this option to work, TcpForwarding must be
enabled on the remote Secure Shell server. Sets
the escape character. The escape character can also
be set on the command line. The argument should be
a single character; for example, ^ followed by a
letter or none to disable the escape character
entirely (making the connection transparent for
binary data). The default is escape character is
the tilde (~). Specifies whether to allocate a
terminal if a command is given. The argument must
be yes or no. The default is no. Specifies whether
the connection to the authentication agent (if any)
will be forwarded to the remote system. The argument
must be yes or no. The default is yes. Specifies
whether X11 connections will be automatically
redirected over the secure channel and if the DISPLAY
environment variable will be set. The argument
must be yes or no. The default is yes. Specifies
whether remote hosts can connect to locally forwarded
ports. The argument must be yes or no. The
default is no. Specifies whether the client will
go to the background after authentication is complete
and the forwardings established. This is
useful if the ssh2 client is going to ask for passwords
or passphrases, but the user wants it in the
background. The argument must be yes, no, or
oneshot. With oneshot, the client behaves the
same way as with the ssh2 -f o command. The default
is no. Specifies the host name to log into. With
the expression format, this can be used to specify
nicknames or abbreviations for hosts. The default
is the name given on the command line. Numeric IP
addresses are also permitted (both on the command
line and in HostName specifications).
The expression format denotes the start of a perhost
configuration block, where expression is an
arbitrary string that distinguishes this block from
others. The expressionformat can contain wildcards.
The expression will be compared with the host name
obtained from the command-line, and if it matches,
the block will be evaluated. Evaluation stops at
the next expression: format. If more than one match
is found, the last obtained value will be effective.
Note that the expression format does not have
to be a real host name, as long as the expression
block contains a host configuration parameter,
where the real host name to connect is defined.
Specifies the Certificate Authority (CA) certificate
(in binary or PEM [base64] format) to be used
when authenticating remote hosts. The certificate
received from the host must be issued by the specified
CA and must contain an alternate, fully qualified
domain name. If the remote host name is not
fully qualified, the domain specified by the
DefaultDomain configuration option is appended to
it before comparing it to certificate alternate
names. If no CA certificates are specified in the
configuration file, the protocol tries to do key
exchange with ordinary public keys. Otherwise certificates
are preferred. Multiple CAs are permitted.
Similar to HostCA, but disables Certificate
Revolation List (CRL) checking for the given cacertificate.
Specifies the name of the user's
identification file. Specifies whether the
keepalive messages are sent. If they are sent, the
loss of a connection or crash of a system will be
noticed. However, this means that connections will
die if the route is down temporarily. The argument
must be yes or no. The default is yes (send
keepalive messages). To disable keepalive messages,
set the value to no in both the server and the
client configuration files. CRLs are automatically
retrieved from the CRL distribution point defined
in the certificate to be checked if the point
exists. Otherwise, the comma-separated server list
given by the LdapServers keyword is used. If
intermediate CA certificates are needed in certificate
validity checking, this keyword must be used
or retrieving the certificates will fail. Specifies
that a TCP/IP port on the local system be forwarded
over the secure channel to the given
host:port on the remote system. The argument format
is port:host:hostport. See the -L option in ssh2(1)
for information on forward definitions. Specifies
the Message Authentication Code (MAC) algorithm to
use for data integrity verification. Supported MAC
algorithms are hmac-sha1, hmac-sha1-96, hmac-md5,
hmac-md5-96, hmac-ripemd160, and hmac-ripemd160-96,
of which hmac-sha1, hmac-sha1-96, hmac-md5 and
hmac-md5-96 are included in all distributions.
Use a comma-separated list when specifying more
than one MAC. Special arguments to this keyword are
Any, Anystd, none, AnyMac and AnyStdMac. The Any
argument allows all MACs including none; the AnyStd
argument allows only those mentioned in the IETFSecSH
draft and none; the none argument forbids any
use of MACs; the AnyMac and AnyStdMac arguments are
analogous to the first two cases but exclude none.
The AnyStdMac argument is the default. Specifies
whether to enable the TCP_NODELAY socket option .
The argument must be yes or no. The default is no.
Specifies the number of password prompts permitted.
The argument must be an integer. The default value
is 3. The server also limits the number of
attempts, so setting this value larger than the
server's value does not have any effect. Specifies
the password prompt displayed when users log in.
Variables %U and %H can be used to give the user's
login name and host name, respectively. Specifies
the port number on the remote host. The default is
port number 22. Supresses all warnings and diagnostic
messages, except fatal errors. The argument
must be yes or no. The default is no. Specifies
the name of the user's random seed file. The
default is the /$HOME/.ssh2/random_seed file, where
$HOME is the name of the user's account. Specifies
the number of seconds between key exchanges. The
default is 3600 seconds (one hour). A value of 0
(zero) turns rekey requests off. This does not prevent
the server from requesting rekeys. Other
servers might not have rekey capabilities implemented
correctly, and might not support rekey
requests. This means that they might terminate the
connection or the server might crash. Specifies
that a TCP/IP port on the remote system be forwarded
over the secure channel to the specified
host:port from the local system. The argument format
is port:host:hostport. See the -R option in
the ssh2(1) file for more information on forward
definitions. Specifies an environment variable to
set in the server before executing a shell or command.
The value should be of the form VAR=val.
The val field can be empty. You can specify multiple
variables by using multiple options. Setting
the variable can fail on the server end. See SettableEnvironmentVars
This feature is not implemented in Secure Shell
versions 3.0.x and earlier. Specifies whether to
forward an SSH1 agent connection. Arguments are
none, traditional, and ssh2. With the none
(default) value, the SSH1 agent connection is not
forwarded. With the traditional value, the SSH1
agent connection is forwarded transparently. The
traditional value can always be used, but it constitutes
a security risk, because the agent does
not get the information about the forwarding path.
The ssh2 value makes SSH1 agent forwarding similar
to SSH2 agent forwarding, and with this mode the
agent gets the information about the agent forwarding
path. The ssh2 value can be used only if you
use ssh-agent2 in SSH1 compatibility mode. Specifies
whether to use SSH1 compatibility codes. The
argument must be yes or no. With this option, ssh1
executes if the server supports only SSH 1.x protocols.
Specifies whether to use SSH1 internal emulation
code. With this option, ssh2 can communicate
with ssh1 servers, without using an external
ssh1 program. The argument must be yes or no.
(This option currently is not supported.) Specifies
whether to send SSH_MSG_IGNORE packets to mask
the password length. The argument must be yes or
no. The default is yes. Specifies the path to the
ssh1 client, which is executed if the server supports
only SSH 1.x protocols. The arguments for
ssh2 are passed to the ssh1 client. Overrides the
value of the SSH_SOCKS_SERVER environment variable.
Specifies whether the client automatically adds new
host keys to the $HOME/.ssh2/hostkeys file. The
argument must be yes, ask, or no. The default is
If the argument is set to yes, new host keys will
never be added automatically to the hostkeys file,
and connections will be refused to hosts whose host
key has changed. This provides maximum protection
against man-in-the-middle attacks. The yes argument
forces the user to add all new hosts manually.
If the argument is set to ask, new hosts will be
added automatically to the hostkeys file after the
user confirms this is the intent. If a host key
changes, you will be asked if you want to accept
the new host key as the only valid one.
If the argument is set to no, new hosts will be
added automatically to the hostkeys file without
prompting the user.
The host keys of known hosts will be verified automatically.
Specifies whether the Xserver should
treat X11 client applications as trusted (with forwarding
X11). Treating X11 applications as
untrusted avoids the problem that logging into a
compromised host allows applications on
that host to detect any input operations via the
forwarded X11 connection. You should only use this
option if the X client program you are running
needs exceptional privileges for the Xserver. The
ssh1 internal emulation mode does not support the
SECURITY extension. The argument must be yes or no.
The default is no. Specifies the user name. This
keyword can be useful if you have a different user
name on different systems. You do not have to specify
the user name on the command line. Use SOCKS5
instead of SOCKS4 when connecting to remote host.
You have to set SocksServer to a meaningful value.
The argument must be yes or no. The default is no
(i.e., use SOCKS4). Specifies whether debugging
messages are displayed. The argument must be yes or
no. The default is no. Specifies where to find the
xauth program. The default is set by the configure
SSH is a registered trademark of SSH Communication Security
[ Back ]