application software (ssh, sshd, scp, ...) |
SSH-2 (protocol family) |
TCP (or other transparent, duplex byte-oriented connection) |
|------------------------------------------+------------------------------------+--------------------------------------| | SSH Authentification Protocol [SSH-AUTH] | SSH Connection Protocol [SSH-CONN] | SSH File Transfer Protocol [SSH-FTP] | | | | | | client Authentification | channle multiplexing | remote filesystem access | | - publickey | pseudo-terminals | file transfer | | - hostbased | flow control +--------------------------------------| | - password | signal propagation | | - gssapi | remote program execution | | - gssapi-with-mic | authentication agent forwarding | | - external-keyx | TCP port and X forwarding | | - keyborad-interactive | terminal handling | | | subsystems | |------------------------------------------+---------------------------------------------------------------------------| | SSH Transport Protocol [SSH-TRANS] | | | | algorithm negotiation | | session key exchange | | session ID | | privacy | | integrity | | data compression | |----------------------------------------------------------------------------------------------------------------------|
/* * Read per-user configuration file. Ignore the system wide config * file if the user specifies a config file on the command line. */ if (config != NULL) { if (!read_config_file(config, host, &options, 0)) fatal("Can't open user config file %.100s: " "%.100s", config, strerror(errno)); } else { r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, _PATH_SSH_USER_CONFFILE); if (r > 0 && (size_t)r < sizeof(buf)) (void)read_config_file(buf, host, &options, 1); /* Read systemwide configuration file after user config. */ (void)read_config_file(_PATH_HOST_CONFIG_FILE, host, &options, 0); }なので、読込順は'~'->'/etc/'で読み込みはなされる。さらにソースを読み込むと、sshは実行の度にOptions構造体を作成する。作成する手順は、1) メモリ領域を確保して名前をつける、2) 全項目に初期値として未定義を表わす値を入れる(initialize_options())、3) コマンドラインをパースしてそこで定義されている項目に値を入れる(main())、4) '~'のssh_configをパースしてそこで定義されている項目の中で現在接続しようとしているホストに該当するものに関する項目について値を入れる(read_config_file())、5) 4と同じことを'/etc/'のssh_configでやる(read_config_file())、6) sshが持つデフォルト値を入れる(fill_default_options())。ただし、「未定義」じゃない項目は上書きしない仕様となっている。これによって、個別性の高い設定が、一般的な設定に対して優先することを実現している。
Host example.com User test Port 1234 # 'ssh exmaple.com' とすると自動的に '-l test -p 1234' が指定される。 Host github-projecta HostName github.com User git IdentityFile /path/to/.ssh/id_rsa_for_project_a # HostNameがある場合、Hostはエイリアスになる。すなわち'ssh github-projecta'とできる。 Host github-projectb HostName github.com User git IdentityFile ~/.ssh/id_rsa_for_project_b # '~'の他にいくつかのエスケープ文字が使えます。 Host example2.com IdentityFile ~/.ssh/id_dsa_hoge IdentityFile ~/.ssh/id_dsa_piyo # ひとつのホストに複数鍵の割り当ても可能。この場合、上から順に試していく。 Host * Compression yes CompressionLevel 1-9 KeepAlive yes # '*'は共通設定に使える。'*'の設定は末尾に書くこと。上からマッチするので。
Host * AddressFamily inet CheckHostIP yes Ciphers aes256-ctr,aes192-ctr,aes128-ctr,arcfour256,aes128-cbc Compression no ConnectionAttempts 1 ConnectTimeout 10 ControlMaster auto ControlPath ~/.ssh/master-%r@%h:%p EscapeChar ~ ForwardAgent no ForwardX11 no ForwardX11Trusted no HashKnownHosts yes IdentityFile ~/.ssh/identity IdentityFile ~/.ssh/id_rsa IdentityFile ~/.ssh/id_dsa IdentityFile ~/.ssh/id_ecdsa IdentitiesOnly yes MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 PermitLocalCommand no Port 22 Protocol 2 RekeyLimit 1G ServerAliveInterval 15 ServerAliveCountMax 3 StrictHostKeyChecking ask TCPKeepAlive no Tunnel no TunnelDevice any:any VisualHostKey no
/* Format of the configuration file: # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Host-specific declarations. These may override anything above. A single # host may match multiple declarations; these are processed in the order # that they are given in. Host *.ngs.fi ngs.fi User foo Host fake.com HostName another.host.name.real.org User blaah Port 34289 ForwardX11 no ForwardAgent no Host books.com RemoteForward 9999 shadows.cs.hut.fi:9999 Cipher 3des Host fascist.blob.com Port 23123 User tylonen PasswordAuthentication no Host puukko.hut.fi User t35124p ProxyCommand ssh-proxy %h %p Host *.fr PublicKeyAuthentication no Host *.su Cipher none PasswordAuthentication no Host vpn.fake.com Tunnel yes TunnelDevice 3 # Defaults for various options Host * ForwardAgent no ForwardX11 no PasswordAuthentication yes RSAAuthentication yes RhostsRSAAuthentication yes StrictHostKeyChecking yes TcpKeepAlive no IdentityFile ~/.ssh/identity Port 22 EscapeChar ~ */