blob: 7a435a90e03464b85e79e2b626624bfa1dce1ac9 [file] [log] [blame]
Ben Lindstrom9f049032002-06-21 00:59:05 +00001.\" -*- nroff -*-
2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\" All rights reserved
6.\"
7.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose. Any derived versions of this
9.\" software must be clearly marked as such, and if the derived work is
10.\" incompatible with the protocol description in the RFC file, it must be
11.\" called by a name other than "ssh" or "Secure Shell".
12.\"
13.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
14.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
15.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
16.\"
17.\" Redistribution and use in source and binary forms, with or without
18.\" modification, are permitted provided that the following conditions
19.\" are met:
20.\" 1. Redistributions of source code must retain the above copyright
21.\" notice, this list of conditions and the following disclaimer.
22.\" 2. Redistributions in binary form must reproduce the above copyright
23.\" notice, this list of conditions and the following disclaimer in the
24.\" documentation and/or other materials provided with the distribution.
25.\"
26.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\"
Damien Millerc2b98272003-09-03 12:13:30 +100037.\" $OpenBSD: ssh_config.5,v 1.20 2003/09/02 18:50:06 jmc Exp $
Ben Lindstrom9f049032002-06-21 00:59:05 +000038.Dd September 25, 1999
39.Dt SSH_CONFIG 5
40.Os
41.Sh NAME
42.Nm ssh_config
43.Nd OpenSSH SSH client configuration files
44.Sh SYNOPSIS
45.Bl -tag -width Ds -compact
46.It Pa $HOME/.ssh/config
47.It Pa /etc/ssh/ssh_config
48.El
49.Sh DESCRIPTION
50.Nm ssh
51obtains configuration data from the following sources in
52the following order:
Ben Lindstrom479b4762002-08-20 19:04:51 +000053.Bl -enum -offset indent -compact
54.It
55command-line options
56.It
57user's configuration file
58.Pq Pa $HOME/.ssh/config
59.It
60system-wide configuration file
61.Pq Pa /etc/ssh/ssh_config
62.El
Ben Lindstrom9f049032002-06-21 00:59:05 +000063.Pp
64For each parameter, the first obtained value
65will be used.
66The configuration files contain sections bracketed by
67.Dq Host
68specifications, and that section is only applied for hosts that
69match one of the patterns given in the specification.
70The matched host name is the one given on the command line.
71.Pp
72Since the first obtained value for each parameter is used, more
73host-specific declarations should be given near the beginning of the
74file, and general defaults at the end.
75.Pp
76The configuration file has the following format:
77.Pp
78Empty lines and lines starting with
79.Ql #
80are comments.
81.Pp
82Otherwise a line is of the format
83.Dq keyword arguments .
84Configuration options may be separated by whitespace or
85optional whitespace and exactly one
86.Ql = ;
87the latter format is useful to avoid the need to quote whitespace
88when specifying configuration options using the
89.Nm ssh ,
90.Nm scp
91and
92.Nm sftp
93.Fl o
94option.
95.Pp
96The possible
97keywords and their meanings are as follows (note that
98keywords are case-insensitive and arguments are case-sensitive):
99.Bl -tag -width Ds
100.It Cm Host
101Restricts the following declarations (up to the next
102.Cm Host
103keyword) to be only for those hosts that match one of the patterns
104given after the keyword.
105.Ql \&*
106and
Damien Millerc2b98272003-09-03 12:13:30 +1000107.Ql \&?
Ben Lindstrom9f049032002-06-21 00:59:05 +0000108can be used as wildcards in the
109patterns.
110A single
111.Ql \&*
112as a pattern can be used to provide global
113defaults for all hosts.
114The host is the
115.Ar hostname
116argument given on the command line (i.e., the name is not converted to
117a canonicalized host name before matching).
Damien Miller20a8f972003-05-18 20:50:30 +1000118.It Cm AddressFamily
Damien Millerfbf486b2003-05-23 18:44:23 +1000119Specifies which address family to use when connecting.
120Valid arguments are
Damien Miller20a8f972003-05-18 20:50:30 +1000121.Dq any ,
122.Dq inet
123(Use IPv4 only) or
124.Dq inet6
125(Use IPv6 only.)
Ben Lindstrom9f049032002-06-21 00:59:05 +0000126.It Cm BatchMode
127If set to
128.Dq yes ,
129passphrase/password querying will be disabled.
130This option is useful in scripts and other batch jobs where no user
131is present to supply the password.
132The argument must be
133.Dq yes
134or
135.Dq no .
136The default is
137.Dq no .
138.It Cm BindAddress
139Specify the interface to transmit from on machines with multiple
140interfaces or aliased addresses.
141Note that this option does not work if
142.Cm UsePrivilegedPort
143is set to
144.Dq yes .
145.It Cm ChallengeResponseAuthentication
146Specifies whether to use challenge response authentication.
147The argument to this keyword must be
148.Dq yes
149or
150.Dq no .
151The default is
152.Dq yes .
153.It Cm CheckHostIP
154If this flag is set to
155.Dq yes ,
156ssh will additionally check the host IP address in the
157.Pa known_hosts
158file.
159This allows ssh to detect if a host key changed due to DNS spoofing.
160If the option is set to
161.Dq no ,
162the check will not be executed.
163The default is
164.Dq yes .
165.It Cm Cipher
166Specifies the cipher to use for encrypting the session
167in protocol version 1.
168Currently,
169.Dq blowfish ,
170.Dq 3des ,
171and
172.Dq des
173are supported.
174.Ar des
175is only supported in the
176.Nm ssh
177client for interoperability with legacy protocol 1 implementations
178that do not support the
179.Ar 3des
Damien Miller495dca32003-04-01 21:42:14 +1000180cipher.
181Its use is strongly discouraged due to cryptographic weaknesses.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000182The default is
183.Dq 3des .
184.It Cm Ciphers
185Specifies the ciphers allowed for protocol version 2
186in order of preference.
187Multiple ciphers must be comma-separated.
188The default is
189.Pp
190.Bd -literal
191 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
192 aes192-cbc,aes256-cbc''
193.Ed
194.It Cm ClearAllForwardings
195Specifies that all local, remote and dynamic port forwardings
196specified in the configuration files or on the command line be
Damien Miller495dca32003-04-01 21:42:14 +1000197cleared.
198This option is primarily useful when used from the
Ben Lindstrom9f049032002-06-21 00:59:05 +0000199.Nm ssh
200command line to clear port forwardings set in
201configuration files, and is automatically set by
202.Xr scp 1
203and
204.Xr sftp 1 .
205The argument must be
206.Dq yes
207or
208.Dq no .
209The default is
210.Dq no .
211.It Cm Compression
212Specifies whether to use compression.
213The argument must be
214.Dq yes
215or
216.Dq no .
217The default is
218.Dq no .
219.It Cm CompressionLevel
220Specifies the compression level to use if compression is enabled.
221The argument must be an integer from 1 (fast) to 9 (slow, best).
222The default level is 6, which is good for most applications.
223The meaning of the values is the same as in
224.Xr gzip 1 .
225Note that this option applies to protocol version 1 only.
226.It Cm ConnectionAttempts
227Specifies the number of tries (one per second) to make before exiting.
228The argument must be an integer.
229This may be useful in scripts if the connection sometimes fails.
230The default is 1.
Damien Millerb78d5eb2003-05-16 11:39:04 +1000231.It Cm ConnectTimeout
232Specifies the timeout (in seconds) used when connecting to the ssh
Damien Millerfbf486b2003-05-23 18:44:23 +1000233server, instead of using the default system TCP timeout.
234This value is used only when the target is down or really unreachable,
235not when it refuses the connection.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000236.It Cm DynamicForward
237Specifies that a TCP/IP port on the local machine be forwarded
238over the secure channel, and the application
239protocol is then used to determine where to connect to from the
Damien Miller495dca32003-04-01 21:42:14 +1000240remote machine.
241The argument must be a port number.
Darren Tucker46471c92003-07-03 13:55:19 +1000242Currently the SOCKS4 and SOCKS5 protocols are supported, and
Ben Lindstrom9f049032002-06-21 00:59:05 +0000243.Nm ssh
Darren Tucker46471c92003-07-03 13:55:19 +1000244will act as a SOCKS server.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000245Multiple forwardings may be specified, and
Damien Miller495dca32003-04-01 21:42:14 +1000246additional forwardings can be given on the command line.
247Only the superuser can forward privileged ports.
Darren Tucker674f71d2003-06-28 12:33:12 +1000248.It Cm EnableSSHKeysign
249Setting this option to
250.Dq yes
251in the global client configuration file
252.Pa /etc/ssh/ssh_config
253enables the use of the helper program
254.Xr ssh-keysign 8
255during
256.Cm HostbasedAuthentication .
257The argument must be
258.Dq yes
259or
260.Dq no .
261The default is
262.Dq no .
263See
264.Xr ssh-keysign 8
265for more information.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000266.It Cm EscapeChar
267Sets the escape character (default:
268.Ql ~ ) .
269The escape character can also
270be set on the command line.
271The argument should be a single character,
272.Ql ^
273followed by a letter, or
274.Dq none
275to disable the escape
276character entirely (making the connection transparent for binary
277data).
278.It Cm ForwardAgent
279Specifies whether the connection to the authentication agent (if any)
280will be forwarded to the remote machine.
281The argument must be
282.Dq yes
283or
284.Dq no .
285The default is
286.Dq no .
Damien Milleraf653042002-09-04 16:40:37 +1000287.Pp
Damien Miller495dca32003-04-01 21:42:14 +1000288Agent forwarding should be enabled with caution.
289Users with the ability to bypass file permissions on the remote host
290(for the agent's Unix-domain socket)
291can access the local agent through the forwarded connection.
292An attacker cannot obtain key material from the agent,
Damien Milleraf653042002-09-04 16:40:37 +1000293however they can perform operations on the keys that enable them to
294authenticate using the identities loaded into the agent.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000295.It Cm ForwardX11
296Specifies whether X11 connections will be automatically redirected
297over the secure channel and
298.Ev DISPLAY
299set.
300The argument must be
301.Dq yes
302or
303.Dq no .
304The default is
305.Dq no .
Damien Milleraf653042002-09-04 16:40:37 +1000306.Pp
Damien Miller495dca32003-04-01 21:42:14 +1000307X11 forwarding should be enabled with caution.
308Users with the ability to bypass file permissions on the remote host
309(for the user's X authorization database)
310can access the local X11 display through the forwarded connection.
311An attacker may then be able to perform activities such as keystroke monitoring.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000312.It Cm GatewayPorts
313Specifies whether remote hosts are allowed to connect to local
314forwarded ports.
315By default,
316.Nm ssh
Damien Miller495dca32003-04-01 21:42:14 +1000317binds local port forwardings to the loopback address.
318This prevents other remote hosts from connecting to forwarded ports.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000319.Cm GatewayPorts
320can be used to specify that
321.Nm ssh
322should bind local port forwardings to the wildcard address,
323thus allowing remote hosts to connect to forwarded ports.
324The argument must be
325.Dq yes
326or
327.Dq no .
328The default is
329.Dq no .
330.It Cm GlobalKnownHostsFile
331Specifies a file to use for the global
332host key database instead of
333.Pa /etc/ssh/ssh_known_hosts .
Darren Tucker0efd1552003-08-26 11:49:55 +1000334.It Cm GSSAPIAuthentication
335Specifies whether authentication based on GSSAPI may be used, either using
336the result of a successful key exchange, or using GSSAPI user
337authentication.
Damien Millerc2b98272003-09-03 12:13:30 +1000338The default is
Darren Tucker0efd1552003-08-26 11:49:55 +1000339.Dq yes .
340Note that this option applies to protocol version 2 only.
341.It Cm GSSAPIDelegateCredentials
342Forward (delegate) credentials to the server.
343The default is
344.Dq no .
345Note that this option applies to protocol version 2 only.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000346.It Cm HostbasedAuthentication
347Specifies whether to try rhosts based authentication with public key
348authentication.
349The argument must be
350.Dq yes
351or
352.Dq no .
353The default is
354.Dq no .
355This option applies to protocol version 2 only and
356is similar to
357.Cm RhostsRSAAuthentication .
358.It Cm HostKeyAlgorithms
359Specifies the protocol version 2 host key algorithms
360that the client wants to use in order of preference.
361The default for this option is:
362.Dq ssh-rsa,ssh-dss .
363.It Cm HostKeyAlias
364Specifies an alias that should be used instead of the
365real host name when looking up or saving the host key
366in the host key database files.
367This option is useful for tunneling ssh connections
368or for multiple servers running on a single host.
369.It Cm HostName
370Specifies the real host name to log into.
371This can be used to specify nicknames or abbreviations for hosts.
372Default is the name given on the command line.
373Numeric IP addresses are also permitted (both on the command line and in
374.Cm HostName
375specifications).
376.It Cm IdentityFile
377Specifies a file from which the user's RSA or DSA authentication identity
Damien Millerfbf486b2003-05-23 18:44:23 +1000378is read.
379The default is
Ben Lindstrom9f049032002-06-21 00:59:05 +0000380.Pa $HOME/.ssh/identity
381for protocol version 1, and
382.Pa $HOME/.ssh/id_rsa
383and
384.Pa $HOME/.ssh/id_dsa
385for protocol version 2.
386Additionally, any identities represented by the authentication agent
387will be used for authentication.
388The file name may use the tilde
389syntax to refer to a user's home directory.
390It is possible to have
391multiple identity files specified in configuration files; all these
392identities will be tried in sequence.
393.It Cm KeepAlive
394Specifies whether the system should send TCP keepalive messages to the
395other side.
396If they are sent, death of the connection or crash of one
397of the machines will be properly noticed.
398However, this means that
399connections will die if the route is down temporarily, and some people
400find it annoying.
401.Pp
402The default is
403.Dq yes
404(to send keepalives), and the client will notice
405if the network goes down or the remote host dies.
406This is important in scripts, and many users want it too.
407.Pp
408To disable keepalives, the value should be set to
409.Dq no .
Ben Lindstrom9f049032002-06-21 00:59:05 +0000410.It Cm LocalForward
411Specifies that a TCP/IP port on the local machine be forwarded over
412the secure channel to the specified host and port from the remote machine.
413The first argument must be a port number, and the second must be
414.Ar host:port .
415IPv6 addresses can be specified with an alternative syntax:
416.Ar host/port .
417Multiple forwardings may be specified, and additional
418forwardings can be given on the command line.
419Only the superuser can forward privileged ports.
420.It Cm LogLevel
421Gives the verbosity level that is used when logging messages from
422.Nm ssh .
423The possible values are:
424QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
Damien Miller495dca32003-04-01 21:42:14 +1000425The default is INFO.
426DEBUG and DEBUG1 are equivalent.
427DEBUG2 and DEBUG3 each specify higher levels of verbose output.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000428.It Cm MACs
429Specifies the MAC (message authentication code) algorithms
430in order of preference.
431The MAC algorithm is used in protocol version 2
432for data integrity protection.
433Multiple algorithms must be comma-separated.
434The default is
435.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
436.It Cm NoHostAuthenticationForLocalhost
437This option can be used if the home directory is shared across machines.
438In this case localhost will refer to a different machine on each of
439the machines and the user will get many warnings about changed host keys.
440However, this option disables host authentication for localhost.
441The argument to this keyword must be
442.Dq yes
443or
444.Dq no .
445The default is to check the host key for localhost.
446.It Cm NumberOfPasswordPrompts
447Specifies the number of password prompts before giving up.
448The argument to this keyword must be an integer.
449Default is 3.
450.It Cm PasswordAuthentication
451Specifies whether to use password authentication.
452The argument to this keyword must be
453.Dq yes
454or
455.Dq no .
456The default is
457.Dq yes .
458.It Cm Port
459Specifies the port number to connect on the remote host.
460Default is 22.
461.It Cm PreferredAuthentications
462Specifies the order in which the client should try protocol 2
Damien Millerfbf486b2003-05-23 18:44:23 +1000463authentication methods.
464This allows a client to prefer one method (e.g.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000465.Cm keyboard-interactive )
466over another method (e.g.
467.Cm password )
468The default for this option is:
469.Dq hostbased,publickey,keyboard-interactive,password .
470.It Cm Protocol
471Specifies the protocol versions
472.Nm ssh
473should support in order of preference.
474The possible values are
475.Dq 1
476and
477.Dq 2 .
478Multiple versions must be comma-separated.
479The default is
480.Dq 2,1 .
481This means that
482.Nm ssh
483tries version 2 and falls back to version 1
484if version 2 is not available.
485.It Cm ProxyCommand
486Specifies the command to use to connect to the server.
487The command
488string extends to the end of the line, and is executed with
489.Pa /bin/sh .
490In the command string,
491.Ql %h
492will be substituted by the host name to
493connect and
494.Ql %p
495by the port.
496The command can be basically anything,
497and should read from its standard input and write to its standard output.
498It should eventually connect an
499.Xr sshd 8
500server running on some machine, or execute
501.Ic sshd -i
502somewhere.
503Host key management will be done using the
504HostName of the host being connected (defaulting to the name typed by
505the user).
Damien Miller495dca32003-04-01 21:42:14 +1000506Setting the command to
507.Dq none
Damien Miller9f1e33a2003-02-24 11:57:32 +1100508disables this option entirely.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000509Note that
510.Cm CheckHostIP
511is not available for connects with a proxy command.
512.Pp
513.It Cm PubkeyAuthentication
514Specifies whether to try public key authentication.
515The argument to this keyword must be
516.Dq yes
517or
518.Dq no .
519The default is
520.Dq yes .
521This option applies to protocol version 2 only.
522.It Cm RemoteForward
523Specifies that a TCP/IP port on the remote machine be forwarded over
524the secure channel to the specified host and port from the local machine.
525The first argument must be a port number, and the second must be
526.Ar host:port .
527IPv6 addresses can be specified with an alternative syntax:
528.Ar host/port .
529Multiple forwardings may be specified, and additional
530forwardings can be given on the command line.
531Only the superuser can forward privileged ports.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000532.It Cm RhostsRSAAuthentication
533Specifies whether to try rhosts based authentication with RSA host
534authentication.
535The argument must be
536.Dq yes
537or
538.Dq no .
539The default is
540.Dq no .
541This option applies to protocol version 1 only and requires
542.Nm ssh
543to be setuid root.
544.It Cm RSAAuthentication
545Specifies whether to try RSA authentication.
546The argument to this keyword must be
547.Dq yes
548or
549.Dq no .
550RSA authentication will only be
551attempted if the identity file exists, or an authentication agent is
552running.
553The default is
554.Dq yes .
555Note that this option applies to protocol version 1 only.
556.It Cm SmartcardDevice
Damien Millerfbf486b2003-05-23 18:44:23 +1000557Specifies which smartcard device to use.
558The argument to this keyword is the device
Ben Lindstrom9f049032002-06-21 00:59:05 +0000559.Nm ssh
560should use to communicate with a smartcard used for storing the user's
Damien Millerfbf486b2003-05-23 18:44:23 +1000561private RSA key.
562By default, no device is specified and smartcard support is not activated.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000563.It Cm StrictHostKeyChecking
564If this flag is set to
565.Dq yes ,
566.Nm ssh
567will never automatically add host keys to the
568.Pa $HOME/.ssh/known_hosts
569file, and refuses to connect to hosts whose host key has changed.
570This provides maximum protection against trojan horse attacks,
571however, can be annoying when the
572.Pa /etc/ssh/ssh_known_hosts
573file is poorly maintained, or connections to new hosts are
574frequently made.
575This option forces the user to manually
576add all new hosts.
577If this flag is set to
578.Dq no ,
579.Nm ssh
580will automatically add new host keys to the
581user known hosts files.
582If this flag is set to
583.Dq ask ,
584new host keys
585will be added to the user known host files only after the user
586has confirmed that is what they really want to do, and
587.Nm ssh
588will refuse to connect to hosts whose host key has changed.
589The host keys of
590known hosts will be verified automatically in all cases.
591The argument must be
592.Dq yes ,
593.Dq no
594or
595.Dq ask .
596The default is
597.Dq ask .
598.It Cm UsePrivilegedPort
599Specifies whether to use a privileged port for outgoing connections.
600The argument must be
601.Dq yes
602or
603.Dq no .
604The default is
605.Dq no .
Damien Miller9b1dacd2002-09-04 16:47:35 +1000606If set to
607.Dq yes
608.Nm ssh
609must be setuid root.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000610Note that this option must be set to
611.Dq yes
Darren Tuckerec960f22003-08-13 20:37:05 +1000612for
Ben Lindstrom9f049032002-06-21 00:59:05 +0000613.Cm RhostsRSAAuthentication
Darren Tuckerec960f22003-08-13 20:37:05 +1000614with older servers.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000615.It Cm User
616Specifies the user to log in as.
617This can be useful when a different user name is used on different machines.
618This saves the trouble of
619having to remember to give the user name on the command line.
620.It Cm UserKnownHostsFile
621Specifies a file to use for the user
622host key database instead of
623.Pa $HOME/.ssh/known_hosts .
Damien Miller37876e92003-05-15 10:19:46 +1000624.It Cm VerifyHostKeyDNS
625Specifies whether to verify the remote key using DNS and SSHFP resource
626records.
627The default is
628.Dq no .
Damien Millereacbb4f2003-06-02 19:10:41 +1000629Note that this option applies to protocol version 2 only.
Ben Lindstrom9f049032002-06-21 00:59:05 +0000630.It Cm XAuthLocation
Damien Miller05913ba2002-09-04 16:51:03 +1000631Specifies the full pathname of the
Ben Lindstrom9f049032002-06-21 00:59:05 +0000632.Xr xauth 1
633program.
634The default is
635.Pa /usr/X11R6/bin/xauth .
636.El
637.Sh FILES
638.Bl -tag -width Ds
639.It Pa $HOME/.ssh/config
640This is the per-user configuration file.
641The format of this file is described above.
642This file is used by the
643.Nm ssh
644client.
645This file does not usually contain any sensitive information,
646but the recommended permissions are read/write for the user, and not
647accessible by others.
648.It Pa /etc/ssh/ssh_config
649Systemwide configuration file.
650This file provides defaults for those
651values that are not specified in the user's configuration file, and
652for those users who do not have a configuration file.
653This file must be world-readable.
654.El
Damien Millerf1ce5052003-06-11 22:04:39 +1000655.Sh SEE ALSO
656.Xr ssh 1
Ben Lindstrom9f049032002-06-21 00:59:05 +0000657.Sh AUTHORS
658OpenSSH is a derivative of the original and free
659ssh 1.2.12 release by Tatu Ylonen.
660Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
661Theo de Raadt and Dug Song
662removed many bugs, re-added newer features and
663created OpenSSH.
664Markus Friedl contributed the support for SSH
665protocol versions 1.5 and 2.0.