Public: Technology Reviews : SSH Client Config Schema
This page last changed on Apr 18, 2006 by scytacki.

The commandline ssh client can be configured with two config files either:
$HOME/.ssh/config
/etc/ssh/ssh_config

Here is what that file looks like.

# Site-wide defaults for various options

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   EscapeChar ~

Here is a segment of the man page about this file.

     Host    Restricts the following declarations (up to the next Host keyword) to be only for those hosts that match
             one of the patterns given after the keyword.  `*' and `?' can be used as wildcards in the patterns.  A sin-
             gle `*' as a pattern can be used to provide global defaults for all hosts.  The host is the hostname argu-
             ment given on the command line (i.e., the name is not converted to a canonicalized host name before match-
             ing).

     AddressFamily
             Specifies which address family to use when connecting.  Valid arguments are ``any'', ``inet'' (Use IPv4
             only) or ``inet6'' (Use IPv6 only.)

     BatchMode
             If set to ``yes'', passphrase/password querying will be disabled.  This option is useful in scripts and
             other batch jobs where no user is present to supply the password.  The argument must be ``yes'' or ``no''.
             The default is ``no''.

     BindAddress
             Specify the interface to transmit from on machines with multiple interfaces or aliased addresses.  Note
             that this option does not work if UsePrivilegedPort is set to ``yes''.

     ChallengeResponseAuthentication
             Specifies whether to use challenge response authentication.  The argument to this keyword must be ``yes''
             or ``no''.  The default is ``yes''.

     CheckHostIP
             If this flag is set to ``yes'', ssh will additionally check the host IP address in the known_hosts file.
             This allows ssh to detect if a host key changed due to DNS spoofing.  If the option is set to ``no'', the
             check will not be executed.  The default is ``yes''.

     Cipher  Specifies the cipher to use for encrypting the session in protocol version 1.  Currently, ``blowfish'',
             ``3des'', and ``des'' are supported.  des is only supported in the ssh client for interoperability with
             legacy protocol 1 implementations that do not support the 3des cipher.  Its use is strongly discouraged due
             to cryptographic weaknesses.  The default is ``3des''.
Document generated by Confluence on Jan 27, 2014 16:56