29.3 Control Files

29.3.1 Configuration Options

SSH allows you to specify command line options and will read configuration options from a user file (~/.ssh/config) and a system-wide configuration file (/etc/ssh_config and /etc/sshd_config), with preference in the order: option, user, system. Valid keywords and their arguments for the options to the ssh and sshd configuration parameters are in the following table.

Keywords and Arguments
Keyword Arguments Default Server or
Client
Comment
AllowHosts host_names host_ipaddresses all hosts Server Hosts allowed to login. Space separated list of hostname or IP addresses. Wildcards: "*" and "?" are accepted for pattern matches
BatchMode yes/no no Client Should passphrase/password querying be disabled
Cipher idea/des/3des/arcfour/tss/none idea Client Specifies the cipher to use for encryption of the session
Compression yes/no no Client Compress the session data
CompressionLevel 1-9 6 Client Compress using the gzip algorithm: 1->fast (poor); 9->slow (best)
ConnectionAttempts integer ? Client Number of tries per second to attempt before falling back to rsh or exiting.
DenyHosts hostname host_ipaddress none Server Deny login from these hosts. Space separated list of hostname or IP addresses.
EscapeChar ~/^<char>/none ~ Client The escape character to use.
FallBackToRsh yes/no yes Client Should the connection fall back to rsh if connection is refused by the remote host (i.e. no sshd is running)
FascistLogging yes/no no Server Should verbose logging be enabled.
ForwardAgent yes/no yes Client Should the connection to the authentication agent be forwarded to the remote machine.
ForwardX11 yes/no yes Client Should X11 connections be forwarded over the secure channel and have DISPLAY set.
GlobalKnownHostsFile file /etc/ssh_known_hosts Client File to use instead of the default.
Host host_names host_ipaddresses none Client Restrict the configuration options following, up to the next Host declaration, to the desired host(s). Wildcards: "*" and "?" are accepted for pattern matches.
HostKey host_key_file /etc/ssh_host_key Server File to use instead of the default.
HostName hostname command line option Client Nicknames or abbreviations for hosts
IdentityFile file ~/.ssh/identity Client File(s) containing users authentication identity
IgnoreRhosts yes/no no Server Should ~/.rhosts and ~/.shosts be used. /etc/hosts.equiv and /etc/shosts.equiv are still used.
KeepAlive yes/no yes Both Should the system send keepalive messages to the remote connection. Both client and server should agree on this.
KeyRegenerationInterval time 3600 Server Automatic key regeneration interval, in seconds
LocalForward local_port remote_host:port none Client The local tcp/ip port is forwarded to the remote host:port on the remote machine via the secure channel
LoginGraceTime time 600 Server Successful login must be accomplished within this period, in seconds.
PasswordAuthentication yes/no yes Both Should password authentication be allowed.
PermitEmptyPasswords yes/no yes Server Should empty passwords by permitted.
PermitRootLogin yes/nopwd/no yes Server Should root logins be permitted. "nopwd" disallows password authenticated root logins.
PidFile pid_file /etc/sshd.pid Server File to use instead of the default.
Port port# 22 Both Port to connect to on the remote host or to listen to on this machine
PrintMotd yes/no yes Server Should /etc/motd be printed at login.
ProxyCommand command_string none Client Command to connect to the remote server
QuietMode yes/no no Server Should the system run in quiet mode, i.e. log only fatal errors.
RandomSeed random_seed_file /etc/ssh_random_seed Server File to use instead of the default.
RemoteForward remote_port local_host:port none Client The remote tcp/ip port is forwarded to local host:port via the secure channel
RhostsAuthentication yes/no no Both Should rhosts based authentication be tried
RhostsRSAAuthentication yes/no yes Both Should rhosts based authentication with RSA host authentication be tried
RSAAuthentication yes/no yes Both Should RSA authentication be tried. The identity file must exist or an authentication agent must be running
ServerKeyBits #bits 768 Server Specify the number of bits to use in the server key, minimum 512.
StrictHostKeyChecking yes/no no Client If yes, hosts will not be automatically added to ~/.ssh/known_hosts and connections will be rejected to a host whose host key has changed
StrictModes yes/no yes Server Should strict checking of permissions be done on authentication files.
SyslogFacility syslog_code DAEMON Server Specify the logging code to use.
User remote_user your_login_id Client Become a different user on the remote end of the ssh connection
UserKnownHostsFile file ~/.ssh/known_hosts Client File to use for the users' known hosts
UseRsh yes/no yes Client Should rlogin/rsh be used for this host
X11Forwarding yes/no yes Server Should X11 forwarding be permitted.

Keywords and Arguments
Keyword	Arguments	Default	Server or Client	Comment
AllowHosts	host_names host_ipaddresses	all hosts	Server	Hosts allowed to login. Space separated list of hostname or IP addresses. Wildcards: "*" and "?" are accepted for pattern matches
BatchMode	yes/no	no	Client	Should passphrase/password querying be disabled
Cipher	idea/des/3des/arcfour/tss/none	idea	Client	Specifies the cipher to use for encryption of the session
Compression	yes/no	no	Client	Compress the session data
CompressionLevel	1-9	6	Client	Compress using the gzip algorithm: 1->fast (poor); 9->slow (best)
ConnectionAttempts	integer	?	Client	Number of tries per second to attempt before falling back to rsh or exiting.
DenyHosts	hostname host_ipaddress	none	Server	Deny login from these hosts. Space separated list of hostname or IP addresses.
EscapeChar	~/^<char>/none	~	Client	The escape character to use.
FallBackToRsh	yes/no	yes	Client	Should the connection fall back to rsh if connection is refused by the remote host (i.e. no sshd is running)
FascistLogging	yes/no	no	Server	Should verbose logging be enabled.
ForwardAgent	yes/no	yes	Client	Should the connection to the authentication agent be forwarded to the remote machine.
ForwardX11	yes/no	yes	Client	Should X11 connections be forwarded over the secure channel and have DISPLAY set.
GlobalKnownHostsFile	file	/etc/ssh_known_hosts	Client	File to use instead of the default.
Host	host_names host_ipaddresses	none	Client	Restrict the configuration options following, up to the next Host declaration, to the desired host(s). Wildcards: "*" and "?" are accepted for pattern matches.
HostKey	host_key_file	/etc/ssh_host_key	Server	File to use instead of the default.
HostName	hostname	command line option	Client	Nicknames or abbreviations for hosts
IdentityFile	file	~/.ssh/identity	Client	File(s) containing users authentication identity
IgnoreRhosts	yes/no	no	Server	Should ~/.rhosts and ~/.shosts be used. /etc/hosts.equiv and /etc/shosts.equiv are still used.
KeepAlive	yes/no	yes	Both	Should the system send keepalive messages to the remote connection. Both client and server should agree on this.
KeyRegenerationInterval	time	3600	Server	Automatic key regeneration interval, in seconds
LocalForward	local_port remote_host:port	none	Client	The local tcp/ip port is forwarded to the remote host:port on the remote machine via the secure channel
LoginGraceTime	time	600	Server	Successful login must be accomplished within this period, in seconds.
PasswordAuthentication	yes/no	yes	Both	Should password authentication be allowed.
PermitEmptyPasswords	yes/no	yes	Server	Should empty passwords by permitted.
PermitRootLogin	yes/nopwd/no	yes	Server	Should root logins be permitted. "nopwd" disallows password authenticated root logins.
PidFile	pid_file	/etc/sshd.pid	Server	File to use instead of the default.
Port	port#	22	Both	Port to connect to on the remote host or to listen to on this machine
PrintMotd	yes/no	yes	Server	Should /etc/motd be printed at login.
ProxyCommand	command_string	none	Client	Command to connect to the remote server
QuietMode	yes/no	no	Server	Should the system run in quiet mode, i.e. log only fatal errors.
RandomSeed	random_seed_file	/etc/ssh_random_seed	Server	File to use instead of the default.
RemoteForward	remote_port local_host:port	none	Client	The remote tcp/ip port is forwarded to local host:port via the secure channel
RhostsAuthentication	yes/no	no	Both	Should rhosts based authentication be tried
RhostsRSAAuthentication	yes/no	yes	Both	Should rhosts based authentication with RSA host authentication be tried
RSAAuthentication	yes/no	yes	Both	Should RSA authentication be tried. The identity file must exist or an authentication agent must be running
ServerKeyBits	#bits	768	Server	Specify the number of bits to use in the server key, minimum 512.
StrictHostKeyChecking	yes/no	no	Client	If yes, hosts will not be automatically added to ~/.ssh/known_hosts and connections will be rejected to a host whose host key has changed
StrictModes	yes/no	yes	Server	Should strict checking of permissions be done on authentication files.
SyslogFacility	syslog_code	DAEMON	Server	Specify the logging code to use.
User	remote_user	your_login_id	Client	Become a different user on the remote end of the ssh connection
UserKnownHostsFile	file	~/.ssh/known_hosts	Client	File to use for the users' known hosts
UseRsh	yes/no	yes	Client	Should rlogin/rsh be used for this host
X11Forwarding	yes/no	yes	Server	Should X11 forwarding be permitted.

Unix System Administration - 8 AUG 1996

[Next] [Previous] [Up] [Top] [Contents]