[Next] [Previous] [Up] [Top] [Contents]

29.3 Control Files

29.3.1 Configuration Options

SSH allows you to specify command line options and will read configuration options from a user file (~/.ssh/config) and a system-wide configuration file (/etc/ssh_config and /etc/sshd_config), with preference in the order: option, user, system. Valid keywords and their arguments for the options to the ssh and sshd configuration parameters are in the following table.

Keywords and Arguments
KeywordArgumentsDefaultServer or


AllowHostshost_names host_ipaddressesall hostsServerHosts allowed to login. Space separated list of hostname or IP addresses. Wildcards: "*" and "?" are accepted for pattern matches
BatchModeyes/nonoClientShould passphrase/password querying be disabled
Cipheridea/des/3des/arcfour/tss/noneideaClientSpecifies the cipher to use for encryption of the session
Compressionyes/nonoClientCompress the session data
CompressionLevel1-96ClientCompress using the gzip algorithm: 1->fast (poor); 9->slow (best)
ConnectionAttemptsinteger?ClientNumber of tries per second to attempt before falling back to rsh or exiting.
DenyHostshostname host_ipaddressnoneServerDeny login from these hosts. Space separated list of hostname or IP addresses.
EscapeChar~/^<char>/none~ClientThe escape character to use.
FallBackToRshyes/noyesClientShould the connection fall back to rsh if connection is refused by the remote host (i.e. no sshd is running)
FascistLoggingyes/nonoServerShould verbose logging be enabled.
ForwardAgentyes/noyesClientShould the connection to the authentication agent be forwarded to the remote machine.
ForwardX11yes/noyesClientShould X11 connections be forwarded over the secure channel and have DISPLAY set.
GlobalKnownHostsFilefile/etc/ssh_known_hostsClientFile to use instead of the default.
Hosthost_names host_ipaddressesnoneClientRestrict the configuration options following, up to the next Host declaration, to the desired host(s). Wildcards: "*" and "?" are accepted for pattern matches.
HostKeyhost_key_file/etc/ssh_host_keyServerFile to use instead of the default.
HostNamehostnamecommand line optionClientNicknames or abbreviations for hosts
IdentityFilefile~/.ssh/identityClientFile(s) containing users authentication identity
IgnoreRhostsyes/nonoServerShould ~/.rhosts and ~/.shosts be used. /etc/hosts.equiv and /etc/shosts.equiv are still used.
KeepAliveyes/noyesBothShould the system send keepalive messages to the remote connection. Both client and server should agree on this.
KeyRegenerationIntervaltime3600ServerAutomatic key regeneration interval, in seconds
LocalForwardlocal_port remote_host:portnoneClientThe local tcp/ip port is forwarded to the remote host:port on the remote machine via the secure channel
LoginGraceTimetime600ServerSuccessful login must be accomplished within this period, in seconds.
PasswordAuthenticationyes/noyesBothShould password authentication be allowed.
PermitEmptyPasswordsyes/noyesServerShould empty passwords by permitted.
PermitRootLoginyes/nopwd/noyesServerShould root logins be permitted. "nopwd" disallows password authenticated root logins.
PidFilepid_file/etc/sshd.pidServerFile to use instead of the default.
Portport#22BothPort to connect to on the remote host or to listen to on this machine
PrintMotdyes/noyesServerShould /etc/motd be printed at login.
ProxyCommandcommand_stringnoneClientCommand to connect to the remote server
QuietModeyes/nonoServerShould the system run in quiet mode, i.e. log only fatal errors.
RandomSeedrandom_seed_file/etc/ssh_random_seedServerFile to use instead of the default.
RemoteForwardremote_port local_host:portnoneClientThe remote tcp/ip port is forwarded to local host:port via the secure channel
RhostsAuthenticationyes/nonoBothShould rhosts based authentication be tried
RhostsRSAAuthenticationyes/noyesBothShould rhosts based authentication with RSA host authentication be tried
RSAAuthenticationyes/noyesBothShould RSA authentication be tried. The identity file must exist or an authentication agent must be running
ServerKeyBits#bits768ServerSpecify the number of bits to use in the server key, minimum 512.
StrictHostKeyCheckingyes/nonoClientIf yes, hosts will not be automatically added to ~/.ssh/known_hosts and connections will be rejected to a host whose host key has changed
StrictModesyes/noyesServerShould strict checking of permissions be done on authentication files.
SyslogFacilitysyslog_codeDAEMONServerSpecify the logging code to use.
Userremote_useryour_login_idClientBecome a different user on the remote end of the ssh connection
UserKnownHostsFilefile~/.ssh/known_hostsClientFile to use for the users' known hosts
UseRshyes/noyesClientShould rlogin/rsh be used for this host
X11Forwardingyes/noyesServerShould X11 forwarding be permitted.

Unix System Administration - 8 AUG 1996
[Next] [Previous] [Up] [Top] [Contents]