Keywords in Secure Shell
The following tables list the keywords and their default values, if any. The keywords
are in alphabetical order. Keywords that apply to the client are in the
ssh_config file. Keywords that apply to the server are in the
sshd_config file. Some keywords are set in both files. Keywords
for a Secure Shell server that is running the v1 protocol are marked.
Table 2-1 Keywords in Secure Shell Configuration Files
|
|
|
|
AllowGroups
|
|
Server
|
|
AllowTcpForwarding
|
yes
|
Server
|
|
AllowUsers
|
|
Server
|
|
AuthorizedKeysFile
|
~/.ssh/authorized_keys
|
Server
|
|
Banner
|
/etc/issue
|
Server
|
|
Batchmode
|
no
|
Client
|
|
BindAddress
|
|
Client
|
|
|
yes
|
Client
|
|
ChrootDirectory
|
no
|
Server
|
|
Cipher
|
|
Client
|
|
Ciphers
|
aes128-ctr, aes128-cbc, 3des-cbc, blowfish-cbc,
arcfour
|
Both
|
|
ClearAllForwardings
|
no
|
Client
|
|
ClientAliveCountMax
|
3
|
Server
|
|
ClientAliveInterval
|
0
|
Server
|
|
Compression
|
no
|
Both
|
|
CompressionLevel
|
|
Client
|
|
ConnectionAttempts
|
1
|
Client
|
|
ConnectTimeout
|
System TCP timeout
|
Client
|
|
DenyGroups
|
|
Server
|
|
DenyUsers
|
|
Server
|
|
DisableBanner
|
no
|
Client
|
|
DynamicForward
|
|
Client
|
|
EscapeChar
|
~
|
Client
|
|
FallBackToRsh
|
no
|
Client
|
|
ForwardAgent
|
no
|
Client
|
|
|
no
|
Client
|
|
|
yes
|
Client
|
|
GatewayPorts
|
no
|
Both
|
|
GlobalKnownHostsFile
|
/etc/ssh/ssh_known_hosts
|
Client
|
|
GSSAPIAuthentication
|
yes
|
Both
|
|
GSSAPIDelegateCredentials
|
no
|
Client
|
|
GSSAPIKeyExchange
|
yes
|
Both
|
|
GSSAPIStoreDelegateCredentials
|
yes
|
Server
|
|
HashKnownHosts
|
no
|
Client
|
|
Host
|
|
Client
|
|
HostbasedAuthentication
|
no
|
Both
|
|
HostbasedUsesNameFromPacketOnly
|
no
|
Server
|
|
HostKey (v1)
|
/etc/ssh/ssh_host_key
|
Server
|
|
HostKey (v2)
|
/etc/ssh/host_rsa_key,
/etc/ssh/host_dsa_key
|
Server
|
|
HostKeyAlgorithms
|
ssh-rsa, ssh-dss
|
Client
|
|
HostKeyAlias
|
|
Client
|
|
HostName
|
|
Client
|
|
IdentityFile
|
~/.ssh/id_dsa, ~/.ssh/id_rsa
|
Client
|
|
IgnoreIfUnknown
|
|
Client
|
|
IgnoreRhosts
|
yes
|
Server
|
|
IgnoreUserKnownHosts
|
yes
|
Server
|
|
KbdInteractiveAuthentication
|
yes
|
Both
|
|
KeepAlive
|
yes
|
Both
|
|
KeyRegenerationInterval
|
3600 (seconds)
|
Server
|
|
ListenAddress
|
|
Server
|
|
LocalForward
|
|
Client
|
|
LoginGraceTime
|
120 (seconds)
|
Server
|
|
LogLevel
|
info
|
Both
|
|
LookupClientHostnames
|
yes
|
Server
|
|
MACs
|
hmac-sha1-*,
hmac-md5-*, and
hmac-sha2-* algorithms.
|
Both
|
|
Match
|
|
Server
|
|
MaxStartups
|
10:30:60
|
Server
|
|
NoHostAuthenticationForLocalHost
|
no
|
Client
|
|
NumberOfPasswordPrompts
|
3
|
Client
|
|
PAMServiceName
|
|
Server
|
|
PAMServicePrefix
|
|
Server
|
|
PasswordAuthentication
|
yes
|
Both
|
|
PermitEmptyPasswords
|
no
|
Server
|
|
PermitRootLogin
|
no
|
Server
|
|
PermitUserEnvironment
|
no
|
Server
|
|
PidFile
|
/system/volatile/sshd.pid
|
Server
|
|
Port
|
22
|
Both
|
|
PreferredAuthentications
|
hostbased,publickey,keyboard-
interactive,passwor
|
Client
|
|
PreUserauthHook
|
|
Server
|
|
PrintLastLog
|
yes
|
Server
|
|
PrintMotd
|
no
|
Server
|
|
Protocol
|
2,1
|
Both
|
|
ProxyCommand
|
|
Client
|
|
PubkeyAuthentication
|
yes
|
Both
|
|
RekeyLimit
|
1G to 4G
|
Client
|
|
RemoteForward
|
|
Client
|
|
RhostsAuthentication
|
no
|
Server, v1
|
|
RhostsRSAAuthentication
|
no
|
Server, v1
|
|
RSAAuthentication
|
no
|
Server, v1
|
|
ServerAliveCountMax
|
3
|
Client
|
|
ServerAliveInterval
|
0
|
Client
|
|
ServerKeyBits
|
512 to 768
|
Server, v1
|
|
StrictHostKeyChecking
|
ask
|
Client
|
|
StrictModes
|
yes
|
Server
|
|
Subsystem
|
sftp /usr/lib/ssh/sftp-server
|
Server
|
|
SyslogFacility
|
auth
|
Server
|
|
UseFIPS140
|
no
|
Both
|
|
UseOpenSSLEngine
|
yes
|
Both
|
|
UsePrivilegedPort
|
no
|
Both
|
|
User
|
|
Client
|
|
UserKnownHostsFile
|
~/.ssh/known_hosts
|
Client
|
|
UseRsh
|
no
|
Client
|
|
VerifyReverseMapping
|
no
|
Server
|
|
X11DisplayOffset
|
10
|
Server
|
|
X11Forwarding
|
yes
|
Server
|
|
X11UseLocalHost
|
yes
|
Server
|
|
|
/usr/bin/xauth
|
Both
|
|