*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->Tru64 Unix man pages -> ssh2_config (4)              
Title
Content
Arch
Section
 

ssh2_config(4)

Contents


NAME    [Toc]    [Back]

       ssh2_config  -  Configuration  file  for  the Secure Shell
       client

DESCRIPTION    [Toc]    [Back]

       The configuration file for the Secure Shell  client  reads
       configuration  data  from  the  following sources, in this
       order:   the   system's    global    configuration    file
       (/etc/ssh2/ssh2_config)   the  user's  configuration  file
       ($HOME/.ssh2/ssh2_config) the command-line options

       For each keyword, the last obtained value will  be  effective.


       A  configuration  file  can  begin  with metaconfiguration
       information (i.e.,  information  about  the  configuration
       language).

       If  the configuration file starts with a line matching the
       following     egrep      style      regex      #.*VERSION[
       \t\f]+[0-9]+.[0-9]+

       it  is  interpreted  as  the  version of the configuration
       style.  If this line is not found, the version is 1.0.

       The version string can be followed by one or more metaconfiguration
  parameters.   The lines have to start with the
       pound (#) sign, and they have to match the following egrep
       style regex: #[# \t]+[A-Z0-9]+[ \t]+.*

       Parsing  of  metaconfiguration  directives  stops with the
       first non-recognized line.

       Version 1.1 and later recognize the  following  parameter:
       Denotes  the  regex syntax used to parse the configuration
       file. The value can be egrep, ssh, zsh_fileglob or  traditional.
   The  zsh_fileglob  and traditional arguments are
       synonymous. The arguments are not case-sensitive.

       In the ssh2_config file, expression denotes the start of a
       per-host  configuration  block,   where  expression  is an
       arbitrary string which distinguishes this block from  others.
   The  expression  can contain wildcards, and will be
       compared with the hostname obtained from the command line.
       If  it  matches,  the block will be evaluated.  Evaluation
       stops at the next expression statement.  If more than  one
       match  is   found,  all  will  be  evaluated  and the last
       obtained values for parameters  will  be  effective.   The
       expression does not have to be a real hostname, as long as
       the expression block contains a Host configuration parameter
 that defines the real hostname.

       Empty lines and lines starting with the pound (#) sign are
       ignored as comments.

       Otherwise a line is of the format keyword arguments.

       It is possible to enclose arguments in quotes, and use the
       standard C convention. Configuration files are case sensitive,
 but keywords are not case  sensitive.  Illegal  keywords
 will prevent Secure Shell clients from starting successfully.


       Following are the ssh2_config file keywords: Specifies the
       authentication  methods  that  the  client uses. Supported
       authentication methods are keyboard-interactive, password,
       publickey, kerberos-2@ssh.com, kerberos-tgt-2@ssh.com, and
       hostbased. The default is publickey, keyboard-interactive,
       password.

              You  can specify any or all authentication methods.
              Use a comma-separated  list  when  specifying  more
              than  one  argument. The order in which authentication
 methods are listed is the order in which  they
              are  used.  The least interactive methods should be
              placed first in this  list.  The  first  successful
              authentication  is the one used.  Specifies whether
              to display the  Authentication  successful  message
              after  authentication  has  completed successfully.
              This is intended to prevent malicious servers  from
              getting  information  from  the  user by displaying
              additional  password  or  passphrase  prompts.  The
              argument  must  be  yes  or no. The default is yes.
              Specifies whether password or  passphrase  querying
              is  disabled. This keyword is useful in scripts and
              other batch jobs where you don't  have  a  user  to
              supply  the  password. If the StrictHostKeyChecking
              keyword is set to ask,  the  client  assumes  a  no
              answer  because  user  input  is  not accepted when
              invoked with BatchMode yes.  The argument  must  be
              yes  or  no.  The  default  is  no.   Specifies the
              ciphers to use for  encrypting  the  session.  Supported
 ciphers are aes, blowfish, twofish, arcfour,
              cast, des, and 3des. Arguments for this keyword are
              any  and  anystd,  that allow only standard ciphers
              and none, and anycipher that allows  any  available
              cipher  or excludes non-encrypting cipher mode none
              but allows all others.  The  AnyStdCipher  argument
              is the same as the AnyCipher argument, but includes
              only those ciphers  mentioned  in  the  IETF-SecSHdraft
  (excluding  none). The AnyStdCipher argument
              is the default.  Specifies  whether  to  clear  all
              defined remote and local forwarded ports. The argument
 must be yes or  no.  The  scp  command  always
              automatically  clears  all forwarded ports.  Specifies
 whether to use compression. The argument  must
              be  yes  or no.  Writes debug messages to specified
              file.  (Remember to enable debugging.)   Determines
              the system name if only the base part of the system
              name is available by  normal  means  (for  example,
              those  used  by the hostname command).  The results
              are appended to the found system name, if the  system
  name  returned  does  not contain a dot ( . ).
              This keyword is only useful if set  in  the  global
              configuration file.  Specifies whether to redirects
              input from /dev/null. The argument must be  yes  or
              no.  The  default is no.  Specifies the initialization
 string  for  the  external  key  provider  for
              accessing  external  keys  for user authentication.
              See ssh-externalkeys(4) for more information.  This
              feature is only available when external key support
              is included in the software.  Specifies the  external
  key  provider  for accessing external keys for
              user authentication.  See  ssh-externalkeys(4)  for
              more  information.  This  feature is only available
              when external key support is included in the  software.
   Specifies  whether  or not to configure the
              suite of r* commands (rsh, rlogin, and rcp commands
              and  applications  that  use  the rcmd function) to
              automatically use a Secure Shell connection.

              The argument must be yes or no.  The default is  no
              in  the  /etc/ssh2/ssh2_config  file and yes in the
              $HOME/.ssh2/ssh2_config file of the root account.

              For this option  to  work,  TcpForwarding  must  be
              enabled  on  the  remote Secure Shell server.  Sets
              the escape character. The escape character can also
              be set on the command line.  The argument should be
              a single character; for example, ^  followed  by  a
              letter  or  none  to  disable  the escape character
              entirely (making  the  connection  transparent  for
              binary  data).  The  default is escape character is
              the tilde (~).  Specifies  whether  to  allocate  a
              terminal  if  a command is given. The argument must
              be yes or no. The default is no.  Specifies whether
              the connection to the authentication agent (if any)
              will be forwarded to the remote system.  The  argument
 must be yes or no. The default is yes.  Specifies
 whether X11 connections will be  automatically
              redirected  over the secure channel and if the DISPLAY
 environment variable will be set. The argument
              must  be  yes or no. The default is yes.  Specifies
              whether remote hosts can connect  to  locally  forwarded
  ports.  The argument must be yes or no. The
              default is no.  Specifies whether the  client  will
              go  to  the background after authentication is complete
 and the  forwardings   established.  This  is
              useful if the ssh2 client is going to ask for passwords
 or passphrases, but the user wants it in  the
              background.  The  argument  must  be  yes,  no,  or
              oneshot.  With oneshot,  the   client  behaves  the
              same way as with the ssh2 -f o command. The default
              is no.  Specifies the host name to log  into.  With
              the  expression format, this can be used to specify
              nicknames or abbreviations for hosts.  The  default
              is  the  name given on the command line. Numeric IP
              addresses are also permitted (both on  the  command
              line and in HostName specifications).

              The  expression  format denotes the start of a perhost
 configuration block, where  expression  is  an
              arbitrary string that distinguishes this block from
              others. The expressionformat can contain wildcards.
              The  expression will be compared with the host name
              obtained from the command-line, and if it  matches,
              the  block  will  be evaluated. Evaluation stops at
              the next expression: format. If more than one match
              is  found,  the  last obtained value will be effective.
 Note that the expression format does not have
              to  be  a real host name, as long as the expression
              block  contains  a  host  configuration  parameter,
              where  the  real  host  name to connect is defined.
              Specifies the Certificate Authority  (CA)  certificate
  (in binary or PEM [base64] format) to be used
              when authenticating remote hosts.  The  certificate
              received from the host must be issued by the specified
 CA and must contain an alternate, fully qualified
  domain  name.  If the remote host name is not
              fully  qualified,  the  domain  specified  by   the
              DefaultDomain  configuration option  is appended to
              it before comparing  it  to  certificate  alternate
              names.   If no CA certificates are specified in the
              configuration file, the protocol tries  to  do  key
              exchange with ordinary public keys.  Otherwise certificates
 are preferred.  Multiple CAs are  permitted.
   Similar  to HostCA, but disables Certificate
              Revolation List (CRL) checking for  the  given  cacertificate.
   Specifies  the  name  of  the user's
              identification   file.    Specifies   whether   the
              keepalive messages are sent.  If they are sent, the
              loss of a connection or crash of a system  will  be
              noticed.  However, this means that connections will
              die if the route is down temporarily.  The argument
              must  be  yes  or  no.  The  default  is  yes (send
              keepalive messages). To disable keepalive messages,
              set  the  value  to  no  in both the server and the
              client configuration files.  CRLs are automatically
              retrieved  from  the CRL distribution point defined
              in the certificate  to  be  checked  if  the  point
              exists.  Otherwise, the comma-separated server list
              given by the  LdapServers  keyword   is  used.   If
              intermediate CA certificates are needed in certificate
 validity checking, this keyword must  be  used
              or  retrieving  the certificates will fail.  Specifies
 that a TCP/IP port on the local system be forwarded
   over  the  secure  channel  to  the  given
              host:port on the remote system. The argument format
              is port:host:hostport. See the -L option in ssh2(1)
              for information on forward definitions.   Specifies
              the  Message Authentication Code (MAC) algorithm to
              use for data integrity verification.  Supported MAC
              algorithms  are  hmac-sha1, hmac-sha1-96, hmac-md5,
              hmac-md5-96, hmac-ripemd160, and hmac-ripemd160-96,
              of  which  hmac-sha1,  hmac-sha1-96,  hmac-md5  and
              hmac-md5-96 are included in all distributions.

              Use a comma-separated  list  when  specifying  more
              than one MAC. Special arguments to this keyword are
              Any, Anystd, none, AnyMac and AnyStdMac.   The  Any
              argument allows all MACs including none; the AnyStd
              argument allows only those mentioned in  the  IETFSecSH
 draft and none; the none argument forbids any
              use of MACs; the AnyMac and AnyStdMac arguments are
              analogous  to the first two cases but exclude none.
              The AnyStdMac argument is the  default.   Specifies
              whether  to  enable the TCP_NODELAY socket option .
              The argument must be yes or no. The default is  no.
              Specifies the number of password prompts permitted.
              The argument must be an integer.  The default value
              is   3.  The  server  also  limits  the  number  of
              attempts, so setting this  value  larger  than  the
              server's value does not have any effect.  Specifies
              the password prompt displayed when  users  log  in.
              Variables  %U and %H can be used to give the user's
              login name and host name, respectively.   Specifies
              the port number on the remote host.  The default is
              port number 22.  Supresses all warnings  and  diagnostic
  messages, except fatal errors. The argument
              must be yes or no. The default  is  no.   Specifies
              the  name  of  the  user's  random  seed  file. The
              default is the /$HOME/.ssh2/random_seed file, where
              $HOME is the name of the user's account.  Specifies
              the number of seconds between  key  exchanges.  The
              default  is  3600  seconds (one hour). A value of 0
              (zero) turns rekey requests off. This does not prevent
  the  server  from  requesting  rekeys.  Other
              servers might not have  rekey  capabilities  implemented
  correctly,  and  might  not  support  rekey
              requests. This means that they might terminate  the
              connection  or  the  server might crash.  Specifies
              that a TCP/IP port on the  remote  system  be  forwarded
  over  the  secure  channel to the specified
              host:port from the local system.  The argument format
  is  port:host:hostport.   See the -R option in
              the ssh2(1) file for more  information  on  forward
              definitions.   Specifies an environment variable to
              set in the server before executing  a shell or command.
   The  value  should  be of the form VAR=val.
              The val field can  be empty.  You can specify  multiple
  variables by using multiple options. Setting
              the variable can fail on the server end.  See  SettableEnvironmentVars
 in sshd2_config(4).

                                     Note

              This  feature  is  not  implemented in Secure Shell
              versions 3.0.x and earlier.  Specifies  whether  to
              forward  an  SSH1  agent  connection. Arguments are
              none,  traditional,  and  ssh2.   With   the   none
              (default)  value,  the SSH1 agent connection is not
              forwarded.  With the traditional  value,  the  SSH1
              agent  connection  is forwarded transparently.  The
              traditional value can always be used, but  it  constitutes
  a  security  risk, because the agent does
              not get the information about the forwarding  path.
              The  ssh2 value makes SSH1 agent forwarding similar
              to SSH2 agent forwarding, and with  this  mode  the
              agent gets the information about the agent forwarding
 path. The ssh2 value can be used  only  if  you
              use  ssh-agent2 in SSH1 compatibility mode.  Specifies
 whether to use  SSH1 compatibility codes.  The
              argument  must be yes or no. With this option, ssh1
              executes if the server supports only SSH 1.x protocols.
   Specifies whether to use SSH1 internal emulation
 code.  With this  option, ssh2 can  communicate
  with  ssh1 servers, without using an external
              ssh1 program.  The argument  must  be  yes  or  no.
              (This  option  currently is not supported.)  Specifies
 whether to send SSH_MSG_IGNORE packets to mask
              the  password  length.  The argument must be yes or
              no.  The default is yes.  Specifies the path to the
              ssh1  client,  which is executed if the server supports
 only SSH 1.x protocols.   The  arguments  for
              ssh2  are passed to the ssh1 client.  Overrides the
              value of the SSH_SOCKS_SERVER environment variable.
              Specifies whether the client automatically adds new
              host keys to the  $HOME/.ssh2/hostkeys  file.   The
              argument  must  be  yes, ask, or no. The default is
              ask.

              If the argument is set to yes, new host  keys  will
              never  be added automatically to the hostkeys file,
              and connections will be refused to hosts whose host
              key  has  changed. This provides maximum protection
              against man-in-the-middle attacks. The yes argument
              forces the user to add all new hosts manually.

              If  the  argument  is set to ask, new hosts will be
              added automatically to the hostkeys file after  the
              user  confirms  this  is  the intent. If a host key
              changes, you will be asked if you  want  to  accept
              the new host key as the only valid one.

              If  the  argument  is  set to no, new hosts will be
              added automatically to the  hostkeys  file  without
              prompting the user.

              The host keys of known hosts will be verified automatically.
  Specifies whether  the  Xserver  should
              treat X11 client applications as trusted (with forwarding
  X11).   Treating   X11   applications   as
              untrusted  avoids  the  problem that logging into a
              compromised  host          allows  applications  on
              that  host  to  detect any input operations via the
              forwarded X11 connection.  You should only use this
              option  if  the  X  client  program you are running
              needs exceptional privileges for the  Xserver.  The
              ssh1  internal  emulation mode does not support the
              SECURITY extension. The argument must be yes or no.
              The  default is no.  Specifies the user name.  This
              keyword can be useful if you have a different  user
              name on different systems. You do not have to specify
 the user name on the command line.  Use  SOCKS5
              instead  of  SOCKS4 when connecting to remote host.
              You have to set SocksServer to a meaningful  value.
              The  argument must be yes or no.  The default is no
              (i.e., use SOCKS4).   Specifies  whether  debugging
              messages are displayed. The argument must be yes or
              no. The default is no.  Specifies where to find the
              xauth  program. The default is set by the configure
              script.

LEGAL NOTICES    [Toc]    [Back]

       SSH is a registered trademark of SSH  Communication  Security
 Ltd.

SEE ALSO    [Toc]    [Back]

      
      
       Commands: ssh2(1)

       Files: ssh_certificates(4)



                                                   ssh2_config(4)
[ Back ]
 Similar pages
Name OS Title
ssh-validate-conf Tru64 Verifies the Secure Shell client or server configuration file.
sftp Tru64 Secure Shell file transfer client
sftp2 Tru64 Secure Shell file transfer client
ssh-keygen Tru64 On a Secure Shell server, generates the host key pair. On a Secure Shell client, generates the authe...
ssh-keygen2 Tru64 On a Secure Shell server, generates the host key pair. On a Secure Shell client, generates the authe...
scp Tru64 Secure Shell client remote copy application
scp2 Tru64 Secure Shell client remote copy application
ssh2 Tru64 Secure Shell client remote login and command execution application
ssh Tru64 Secure Shell client remote login and command execution application
ssh_certificates Tru64 Describes the configuration files and keywords needed when using certificates with the Secure Shell ...
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service