view release on metacpan or  search on metacpan

xt/ssh_config.html  view on Meta::CPAN

<b>ControlMaster</b>, specifies that the master connection
should remain open in the background (waiting for future
client connections) after the initial client connection has
been closed. If set to <b>no</b>, then the master connection
will not be placed into the background, and will close as
soon as the initial client connection is closed. If set to
<b>yes</b> or 0, then the master connection will remain in
the background indefinitely (until killed or closed via a
mechanism such as the &quot;ssh -O exit&quot;). If set to a
time in seconds, or a time in any of the formats documented
in sshd_config(5), then the backgrounded master connection
will automatically terminate after it has remained idle
(with no client connections) for the specified time.</p>

<p style="margin-top: 1em"><b>DynamicForward</b></p>

<p style="margin-left:17%;">Specifies that a TCP port on
the local machine be forwarded over the secure channel, and
the application protocol is then used to determine where to
connect to from the remote machine.</p>

<p style="margin-left:17%; margin-top: 1em">The argument
must be [</p>

<p><i>bind_address</i>: ]<i>port</i>. IPv6 addresses can be
specified by enclosing addresses in square brackets. By
default, the local port is bound in accordance with the
<b>GatewayPorts</b> setting. However, an explicit
<i>bind_address</i> may be used to bind the connection to a
specific address. The <i>bind_address</i> of
<b>localhost</b> indicates that the listening port be bound
for local use only, while an empty address or
&rsquo;*&rsquo; indicates that the port should be available
from all interfaces.</p>

<p style="margin-left:17%; margin-top: 1em">Currently the
SOCKS4 and SOCKS5 protocols are supported, and ssh(1) will
act as a SOCKS server. Multiple forwardings may be
specified, and additional forwardings can be given on the
command line. Only the superuser can forward privileged
ports.</p>

<p style="margin-top: 1em"><b>EnableSSHKeysign</b></p>

<p style="margin-left:17%;">Setting this option to
<b>yes</b> in the global client configuration file
<i>/etc/ssh/ssh_config</i> enables the use of the helper
program ssh-keysign(8) during
<b>HostbasedAuthentication</b>. The argument must be
<b>yes</b> or <b>no</b> (the default). This option should be
placed in the non-hostspecific section. See ssh-keysign(8)
for more information.</p>

<p style="margin-top: 1em"><b>EscapeChar</b></p>

<p style="margin-left:17%;">Sets the escape character
(default: &rsquo;~&rsquo;). The escape character can also be
set on the command line. The argument should be a single
character, &rsquo;^&rsquo; followed by a letter, or
<b>none</b> to disable the escape character entirely (making
the connection transparent for binary data).</p>

<p style="margin-top: 1em"><b>ExitOnForwardFailure</b></p>

<p style="margin-left:17%;">Specifies whether ssh(1) should
terminate the connection if it cannot set up all requested
dynamic, tunnel, local, and remote port forwardings, (e.g.
if either end is unable to bind and listen on a specified
port). Note that <b>ExitOnForwardFailure</b> does not apply
to connections made over port forwardings and will not, for
example, cause ssh(1) to exit if TCP connections to the
ultimate forwarding destination fail. The argument must be
<b>yes</b> or <b>no</b> (the default).</p>

<p style="margin-top: 1em"><b>FingerprintHash</b></p>

<p style="margin-left:17%;">Specifies the hash algorithm
used when displaying key fingerprints. Valid options are:
<b>md5</b> and <b>sha256</b> (the default).</p>

<p style="margin-top: 1em"><b>ForwardAgent</b></p>

<p style="margin-left:17%;">Specifies whether the
connection to the authentication agent (if any) will be
forwarded to the remote machine. The argument must be
<b>yes</b> or <b>no</b> (the default).</p>

<p style="margin-left:17%; margin-top: 1em">Agent
forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for
the agent&rsquo;s Unix-domain socket) can access the local
agent through the forwarded connection. An attacker cannot
obtain key material from the agent, however they can perform
operations on the keys that enable them to authenticate
using the identities loaded into the agent.</p>

<p style="margin-top: 1em"><b>ForwardX11</b></p>

<p style="margin-left:17%;">Specifies whether X11
connections will be automatically redirected over the secure
channel and DISPLAY set. The argument must be <b>yes</b> or
<b>no</b> (the default).</p>

<p style="margin-left:17%; margin-top: 1em">X11 forwarding
should be enabled with caution. Users with the ability to
bypass file permissions on the remote host (for the
user&rsquo;s X11 authorization database) can access the
local X11 display through the forwarded connection. An
attacker may then be able to perform activities such as
keystroke monitoring if the <b>ForwardX11Trusted</b> option
is also enabled.</p>

<p style="margin-top: 1em"><b>ForwardX11Timeout</b></p>

<p style="margin-left:17%;">Specify a timeout for untrusted
X11 forwarding using the format described in the <i>TIME
FORMATS</i> section of sshd_config(5). X11 connections
received by ssh(1) after this time will be refused. Setting
<b>ForwardX11Timeout</b> to zero will disable the timeout
and permit X11 forwarding for the life of the connection.
The default is to disable untrusted X11 forwarding after